0

I have a Telerik grid in which I am using client templates for edit/delete actions for each record. So for the edit/delete action I need to pass the id of that record along with the URL, here in this case I am afraid about some security issues. I am looking for a way to hide the query string parameter here to overcome this issues.

I am aware about encryption of parameter and currently I am using that. But i want to completely hide the query string parameter. I can't use session/ViewBag here since I can't set the session value for each record at the time of button click and access it in controller.

Any help is appreciated. Thanks in advance. my Controller and View codes are the following

View

@model IEnumerable<Data.Models.MyViewModel>
@{
    Volunteer.Data.User currentUser = (Data.User)Session["CurrentUser"];
}
<div id="myDivId">
    <p style="clear:none;">
        @Html.ActionLink("Add", "Create", "MyController", new { area = "", ID = ViewBag.MyDataID }, new { @class = "aMyClass" })
    </p>
    @{
        Html.Telerik().Grid<MyViewModel>().Name("MyGrid")
            .Columns(col =>
            {
                col.Bound(c => c.FirstName).Width("120px");
                col.Bound(c => c.LastName).Width("80px");
                col.Bound(c => c.Designation).Width("80px");
                col.Bound(c => c.Company).Width("80px");
                col.Bound(c => c.Married).Filterable(false).ClientTemplate(
                    "<input type='checkbox'" + "<#= Married?\"checked\":\"\" #>" + " OnClick='return false' />"
                    ).Width("40px");               
                if (currentUser.AdminRole == true || currentUser.Manager == true || currentUser.StaffRole == true)
                {
                    col.Bound(c => c.EmployeeID).Sortable(false).ClientTemplate(
                                        "<a href='" + Url.Content("~/MyController/Edit/") + "<#= EmployeeID #>' title='Edit Employee Details' class='edit'>Edit</a>" +
                                        "<a href='" + Url.Content("~/MyController/Delete/") + "<#= EmployeeID #>' title='Delete Employee Details' class='delete'>Delete</a>"
                    ).Title("Action").Width("75px");
                }
                else
                {
                    col.Bound(c => c.EmployeeID).Sortable(false).ClientTemplate(
                                        "<a href='" + Url.Content("~/MyController/Details/") + "<#= EmployeeID #>' title='Associated Party Details' class='details'>Details</a>"
                    ).Title("Action").Width("75px");
                }
            })

        .DataBinding(dataBinding => dataBinding.Ajax().Select("_GetEmployeeList", "MyController", new { id = "MyDataID" }))
        .Pageable()
        .Sortable()        
        .Render();
    }
</div>

Controller

public ActionResult Edit(int id)//Want to pass this id without using Query string parameter
{
    User user = (User)Session["CurrentUser"];

    Employee employee = db.Employees.Single(c => c.EmployeeID == id);
    //some code
    return View(employee);
}

[HttpPost]
public ActionResult Edit(Employee employee)
{
    User user = (User)Session["CurrentUser"];

    if (ModelState.IsValid)
    {
        db.Employees.Attach(employee);
        db.ObjectStateManager.ChangeObjectState(Employees, EntityState.Modified);
        db.SaveChanges();
        return RedirectToAction("Index");
    }
    Employee employee = db.Employees.Single(c => c.EmployeeID == id);
    //some code
    return View(employee);
}
Improve this question
3
  • Do you really need to pass it as part of the URL? Can't you do a POST request instead? Commented May 25, 2015 at 4:08
  • How can i use a POST request here? please look at my controller code. I need to navigate to another view from edit action and user submit the changes then in there I am using post request to Save the changes. Then navigate back to the grid. This is the flow of operation here Commented May 25, 2015 at 4:13
  • Security through obscurity is no security at all. Rather than hiding it you should be authenticating the user and checking that they have the appropriate role/rights to view or edit the employee. That way, anyone can see the Url but nobody can use it maliciously. Commented Mar 22, 2019 at 5:14

2 Answers 2

Reset to default
0

But i want to completely hide the query string parameter.

Query string parameters are part of the HTTP standard for using the GET method as they are part of the URI.

HTTP 1.1 Get Request

The GET method means retrieve whatever information (in the form of an entity) is identified by the Request-URI.

Please understand that the GET method by default, sends parsable information in the URI for example:

http://www.mywebsite.com/person?id=1
                                ^--- one location that can be parsed is the querystring

So hiding this means that you either need to change the way you make the request or change the request type.

@Html.ActionLink(/* irrelevant parameters*/)

Creates an Anchor Tag and part of the anchor tag is an attribute (href) that stores the URI. To my knowledge there is no default way to override the URI to not pass information via the Querystring.

HTTP 1.1 Post Request

The POST method is used to request that the origin server accept the entity enclosed in the request as a new subordinate of the resource identified by the Request-URI in the Request-Line.

This is a fancy way of saying, send information to the URI. However this time, you can either use the Querystring or using the body of the request (which as far as I know, GET does not allow a body of the request). The body can contain just about any type of mime type, but is typically application/x-www-form-urlencoded.

So an alternative piece of code to:

@Html.ActionLink("Add", "Create", "MyController", new { area = "", ID = ViewBag.MyDataID }, new { @class = "aMyClass" })

Might be:

@using(Html.BeginForm("Create", "MyController", FormMethod.Post))
{
  <input type="hidden" name="area" value="" />
  <input type="hidden" name="ID" value="@ViewBag.MyDataID" />
  <input type="submit" value="Add" />
}

Based on the question you asked, I highly suggest reading up on MVC at http://www.asp.net/mvc/overview/getting-started/introduction/getting-started.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for the answer Eric, Yes i got what you come to say, and understood how GET requests works. But I came here to know is there any ways to handle this issue or not. I had lot of researches before add q question here. But didn't got a good method to handle my problem. Here i didn't have any issue with Create Action link, but my problem is with Edit/Delete/Details actions. Please see the column definition in my View code. How can i tackle this one. I don't know how to make that as a POST request, since it is inside the Column definition
I'm confused how changing an anchor tag to a form isn't the the solution for all your links.
0

I don't know how to make query strings completely invisible, but I can make them inaccessible for you.

The general idea idea is to create at least two pathways to the url with the query string. In the pathway(s) you want people to be able to access, create an intermediate method that redirects to the action where you want to return your view. The 2nd pathway will access that action I mentioned before directly. In the intermediate method, you tell a database to increase the value of "has this page been accessed before to 1.

You might have to think about the next part for a couple of hours before getting why it works 99% of the time. At the end of the intermediate method, set the value back to 0! In the action that returns a view, make it so that the view you want to return can only be returned if the value is set to 0! However, before the view is returned, set the value to 1! While, this method is not 100% secure. I think it is the only implementation that uses only basics and very little code. Obsfucating doesn't made query string urls inaccessible. It just makes it harder for people to access the website.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.