I am using ASP.NET and a membership provider for my site. If the user can easily see their GUID, will this be considered a security risk? Should I take extra steps so that users cannot easily find their GUID, for example, when they confirm their verification process. Although there are ways around this, for example, using a separate GUID for front-end actions, is this an extra increase in overhead and development time?
An example of a possible spoofing is when I check the user's permission to access the resource.
Guid cUser = (Guid)Membership.GetUser().ProviderUserKey; //if this is publicly viewed, then there no reason to call the DB or store in a session as it can be placed in the QueryString
bool grantAccess = CheckGroupPermission(cUser, groupID);
thanks
source
share