MVC How to hide link's Html Attribute for security

Question

I pass a Model value(Id) action to action like this:

Controller part:

 return RedirectToAction("SaveAction", "MyController", new { MyId= model.Id});

View part:

   @Html.HiddenFor(model => model.Id)

Another View example:

@Html.ActionLink("Delete", "Delete", new { MyId= Model[i].Id, AnotherId= Model.[i].AnotherId})

And on link bar, it's being showed like this:

http://localhost:9151/Controller/Save?Id=180

When I change "180" to "181", user can see Id=181's all values related View. It's an important security problem for me and users can not reach other Id values like 181, 182, 183 etc.

How can i pass Id value safely to action to action and how can i not show Id value in browser's link bar?

Is there an easy way to do this?

thank you for your quick reply. No i haven't. it's a multiple project and i don't wat to change route provider. — kojirosan, Oct 08 '14 at 09:11
You need to handle the security in the controller. A user can still type `/Controller/Save?Id=181` in the address bar. — , Oct 08 '14 at 09:11
see this question and answer may be helps you...http://stackoverflow.com/questions/8968689/routing-how-to-hide-action-name-in-url — Vinit Patel, Oct 08 '14 at 09:12
@Fatih1453 use form to post value that way user will not be able to change id in url — Ehsan Sajjad, Oct 08 '14 at 09:13
You should look into using `AuthorizeAttribute`s and having users with specific roles or own particular items that they are authorised to have access to http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx — Pricey, Oct 08 '14 at 09:14
This might be useful. I've not tried it yet though : http://erraticdev.blogspot.co.uk/2011/03/removing-route-values-from-linksurls-in.html — Jason Evans, Oct 08 '14 at 09:27
@DavidG Why would you want to do that anyway, a user can still change the URL. The point is they should be authorising access to the data that is shown in the request result for that URL. — Pricey, Oct 08 '14 at 09:34
@Pricey Take a website that shows a list of employees and I only have access to see my team members, adding `AuthoriseAttribute` will stop anonymous users requesting the page but it won't stop me modifying the URL to get an employee I shouldn't see. — DavidG, Oct 08 '14 at 09:43
@DavidG you've lost me, you can create custom authorise attributes in MVC that validate against users and roles in your application, thats why I said "having users with specific roles or own particular items that they are authorised to have access" if the user is not authorised to access that URL they just typed then the error should be handled and redirected to an error controller or something similar to display a not authorised message — Pricey, Oct 08 '14 at 09:49
I agree completely with Pricey and Stephen - hiding the ID and pretending that this is somehow security is completely false. At best, if you could somehow hide part of the URL and still visit it (which is not possible without route defaults or action defaults) then it still doesn't provide any security - you need to ensure that users have valid claims to data requested by any URL before returning it to them. Any URL pattern can either be discerned or guessed by the user, or viewed in logs/browser history. Security by obscurity at best. — pwdst, Oct 08 '14 at 10:10
If your Delete Action is [HttpGet] users can access toit from url.you must change it to [HttpPost] and call it — M.Azad, Oct 08 '14 at 10:33

score 2 · Answer 1 · edited May 23 '17 at 12:11

2

A simple way is encode and decode id.

More secure way is encrypting id.

edited May 23 '17 at 12:11

Community

1
1

answered Oct 08 '14 at 12:40

Mohsen Esmailpour

11,224
3
45
66

MVC How to hide link's Html Attribute for security

1 Answers1