1

I know the default routes in MVC include an id param which often maps to the identity of an entity as it's stored in the database. Now, often this is OK, but what about when you don't want someone to be able to manipulate it? Quite frankly, on many business apps this is very common. For example, you don't want someone to change the account number (not the best example, but you get the idea) in the URL for obvious reasons. So, you would need to validate the account number against the logged in user on every request. Obviously, that is not a realistic solution, and in webforms many people would store something like that in session. I am trying to rely on session very little in MVC, but aside from that would I just go old school and use hidden fields?

How do others approach this?

Improve this question
1
  • I think the Authorize attribute would help in your situation. See the NerdDinner example if you're not familiar with the attribute: nerddinnerbook.s3.amazonaws.com/Part9.htm Commented Sep 2, 2010 at 14:14

2 Answers 2

Reset to default
1

Actually, for good security you anyway must validate authenticated users rights on every request. Probably you can extend Authorize attribute to better suit your needs. And a hidden field is just a little bit better than url parameter, as they are easily changed by using IE developer tools or Firebug.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I agree 100%. See this related question and answer: stackoverflow.com/questions/1723323/…
0

A way this was handled at one place I worked at was to check the referrer in the Request object. If the referrer was blank or not from the current domain, don't show them the page.

Request.UrlReferrer

It actually worked out pretty well.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.