While attempting to debug my openid implementation with Google, which stored coming back Apache 406 errors, I ultimately learned that my webhost doesn't let it pass a string that contains "/id" like a GET parameter (something similar to "example.php?anyattribute=%2Fid" once URL encoded).
That's rather annoying as Google openid endpoint includes this dying word "/id" (https://google.com/accounts/o8/id) so my application is coming back 406 errors each time I sign in with Google due to this. I approached my webhost who explained it has been deactivated for security reasons.
I possibly could use Publish rather, without a doubt. But has anybody got a concept why this might cause security problems ???
It cannot, your host has been stupid. There is nothing magical concerning the string
Sometimes people do stupid things using the string
/id, like presuming that's not to you know what follows, to ensure that
example.com/mysensitivedata/id/3/ shows my data because my user has
id 3, and being the sneaky sort, I question what goes on basically navigate to
example.com/mysensitivedata/id/4/, plus you site blindly allows me right through to see another person's stuff.
In the event that kind of attack breaks your website, no quantity of mollycoddling because of your host can help you anyway.
One reason an easy ID within the URL might be a security problem is that the user often see their ID after which type a different one in, for example if it is an integer they might choose the following integer up, and potentially see another customers info if it's not protected.