Protecting URL Identifiers in ASP.NET MVC

Question

Protecting URL Identifiers in ASP.NET MVC

I am working on a typical CRUD application in ASP.NET MVC, where there will be several user accounts, and each of them will have several elements.

When a user edits an item, he will do it at a URL, for example / edit / 5 , where the number represents the row identifier in the database.

I have some problems when one user simply changes the ID to the ID of another user element and can change it. To protect the identifier, the following solutions came to me:

Encrypt it so that it cannot be easily changed - but then, of course, I need to have a code to decrypt it every time it sends messages.
Modify the database schema so that a GUID is also created next to the identifier, and this is used in the URL.
Leave the readable identifier as is and include the registered user UserID in the requests for the element, so that the requests look like this:
database.Items.SingleOrDefault (c => c.UserID == [user ID is currently registered] & c.ID == itemID);

Maybe there is a better way or a way that I have not thought about. What is your preferred method of protection against this problem?

+4

security asp.net-mvc

Martin Nov 12 '09 at 16:03

source share

3 answers

Never trust user input, always check if it has access to it.

+5

Fredou Nov 12 '09 at 16:06

source share

Store the user ID in the session collection.

0

Yuriy faktorovich Nov 12 '09 at 16:13

source share

Darin Dimitrov · Accepted Answer · 2009-11-12T16:06:25+0000

Definitely the third solution. Get the registered user ID from the encrypted cookie (see FormsAuthentication ) and use it in the SQL query to verify that the element belongs to the user.

Protecting URL Identifiers in ASP.NET MVC

More articles: