ASP.NET MVC 2 EditModel includes identifier? Security ID not faked

Question

ASP.NET MVC 2 EditModel includes identifier? Security ID not faked

I am looking for some recommendations on creating EditMoels and updating data in an ASP.NET MVC application. Suppose I have Url, for example, / Post / Edit? Id = 25

I guarantee that the user has permission to edit a specific record by identifier in the Get request and the same for my message in the controller. I am using ValidateAntiForgeryToken.

Questions: Should I include the Id property in my EditModel? If so, should I encrypt it?

The problem is that I can use FireBug to edit Id hiddedinput and edit another record if I have permission to do this. This is not terrible, but it seems wrong.

Any help would be great!

+3

security asp.net asp.net-mvc-2

Paul Sep 06 '10 at 0:45

source share

2 answers

, , , , , , , , , , , ...

, ...

0

moi_meme 06 . '10 1:05

Sripathi Krishnan · Accepted Answer · 2010-09-06T04:32:10+0000

There are several ways to prevent this.

The first is not to send sensitive data to the client. Store the message ID in the session variables so that the user cannot edit it. This may or may not be an option depending on your architecture.

The next approach is to convert the direct link to an indirect one. For example, instead of sending postids = {23452, 57232, 91031}, the client needs to send an opaque list {1,2,3} to display a drop-down list. Only the server knows that 1 means 23452, 2 means 57232 and so on. Thus, the user cannot change any parameter that you do not want.

- -, . , , 3 html - {userId = 13223, postId = 923, role = author}. , postId=923&userId=13223&role=author. (SHA-1 MD5) . . SHA-1('postId=923&userId=13223&role=author&MySuperSecretKey'). , . ProtectedParameters=userId,postId,role.

, . , .

, . , , . .

ASP.NET MVC 2 EditModel includes identifier? Security ID not faked

More articles: