You might also consider using URL(..., user_signature=True) and @auth.requires_signature: http://web2py.com/book/default/chapter/04#Digitally-signed-URLs. That will further ensure that the URL itself has not been tampered with (i.e., no args or vars have been altered).
Anthony On Sunday, December 11, 2011 9:57:19 AM UTC-5, Anthony wrote: > > Unless you change the encryption key every time, the encrypted id would > still always be the same, so could still be stolen and used. Instead, you > might simply want to confirm that the id in request.vars matches the id of > the current logged in user. > > Anthony > > On Sunday, December 11, 2011 2:57:01 AM UTC-5, Constantine Vasil wrote: >> >> I am getting user_id = str(auth.user.id), form a link to be clicked >> later. >> >> When clicked on to the browser bar looks like like /user?user_id=9 >> >> That is insecure. How to encrypt it to look like /user?user_id=10iksmwu0 >> (something like that) >> and decrypt later when extracting from the request_vars? >> >> >>
