Clever Geek Handbook

Asp.net MVC 3 Encrypts Hidden Values

I'm looking for suggestions or really good tutorials on how to handle IDs back and forth in a secure manner from client to server, I am not passing user IDs or anything like that, however I can pass the ID for the Items string . I would like to hide these ids from users. I wish I could not put them on the page as a whole, but given that they are pk I have no choice but to ping pong the value back and forth from client to server.

Thanks for any help.

change . I plan to check if the user has permission to do this, however I would still like to hide the data.

+1


source to share


4 answers


Simple sentence:

1) Add a guid column to your created tables (default: new id ()). Create an index on the guid column. Pass the manual back and forth, not your PC.



2) Does this completely protect your IDs? Not. But this prevents users from guessing the numeric PCs.

3) Always make sure the authenticated user has write access.

+6


source


You should really just do your security on the server. Any entry that the user has access to should be available, and any entry that they don't have access to shouldn't. It doesn't matter if they know what an ID is, because they have access to the data anyway. Anything they can do by hacking, they can do in the user interface.



So there is simply no point in trying to hide them.

+3


source


As you mentioned, it is not ideal practice to output the PK rows of the element table to the view as if they were in the HTML page of the page, they are viewable.

If I understand correctly, by "hiding" these identifiers from users, I am assuming that you mean rendering the identifiers harmless anyway, even if they are taken from the HTML representation, they mean little in their individual context.

One way to achieve the above is to use the ViewModel to output related data to the View, but in your particular ViewModel class you may have some custom property logic to encode the PC with AES (two-way) encryption algorithm, with the encryption salt being something known to you (and your server).

This will be one way to "protect" the PC in view.

With this approach, you might have to influence the performance overhead, except that PC encryption / decryption happens when that data is pinged back and forth!

This might be of interest if you are on the encryption path:

Simple unsafe two-way "obfuscation" for C #

You can also achieve more opacity without encryption by referring to an in-memory key-value (cache or session) that outputs arbitrary numbers as IDs to the view for each of your table elements and, when retrieved from the view, the PK reverses from collection in memory.

+2


source


You can use the MVC Security Extensions project https://mvcsecurity.codeplex.com .

Let's say that the field you want to protect is Id ...

On your mail control method add:

[ValidateAntiModelInjection("Id")]

In your view add:

@Html.AntiModelInjectionFor(m => m.Id)
@Html.HiddenFor(m => m.Id)

In the Post field, your Id field will be confirmed.

+2


source






More articles:


All Articles