The user can always modify the url, that's part of the browser and as web application developers, we don't have direct access to that. What we can do however is controller what happens on the server. The way to deal with this issue is by authorizing the
user on the server. Meaning that in your action method you need to check if the user has access to the edit action method, then also check to see that the user is allowed to edit row 25. If your rules don't allow the user to edit record 25, then you would
send the user to an unauthorized page.
You can create an action filter similar to HttpPost and put the authorization code in there. The action filter has access to the input parameters and the users role/username. That's probably the cleanest way, but there is no built in way to do this since
it's going to be unique for every application and depends on your specific business rules.
ChristianCru...
0 Points
3 Posts
How to prevent a user navigate through my website by manipulating the url?
Apr 25, 2012 03:00 PM|LINK
Hello, I'm using MVC3 architecture on a website, need to know how to avoid the user to manipulate the parameters of a url
Ej www.midominio.com/products/edit/25
This means you can not manipulate the number 25
Thanks for your help
CodeHobo
All-Star
18647 Points
2647 Posts
Re: How to prevent a user navigate through my website by manipulating the url?
Apr 25, 2012 03:05 PM|LINK
The user can always modify the url, that's part of the browser and as web application developers, we don't have direct access to that. What we can do however is controller what happens on the server. The way to deal with this issue is by authorizing the user on the server. Meaning that in your action method you need to check if the user has access to the edit action method, then also check to see that the user is allowed to edit row 25. If your rules don't allow the user to edit record 25, then you would send the user to an unauthorized page.
You have access to a users logged in name and role, use those to determine if the user has access. See this
http://www.c-sharpcorner.com/uploadfile/b19d5a/membership-and-authorization-in-Asp-Net-mvc-3-razor/
Blog | Twitter : @Hattan
ChristianCru...
0 Points
3 Posts
Re: How to prevent a user navigate through my website by manipulating the url?
Apr 25, 2012 03:23 PM|LINK
Thanks CodeHobo
That's one solution that I had thought
Mvc can not control that? for example using HttpPost
Thanks
CodeHobo
All-Star
18647 Points
2647 Posts
Re: How to prevent a user navigate through my website by manipulating the url?
Apr 25, 2012 04:04 PM|LINK
You can create an action filter similar to HttpPost and put the authorization code in there. The action filter has access to the input parameters and the users role/username. That's probably the cleanest way, but there is no built in way to do this since it's going to be unique for every application and depends on your specific business rules.
Here's a link on creating a custom action filter
http://msdn.microsoft.com/en-us/library/dd381609.aspx
Blog | Twitter : @Hattan
ChristianCru...
0 Points
3 Posts
Re: How to prevent a user navigate through my website by manipulating the url?
Apr 25, 2012 05:23 PM|LINK
I have decided to encrypt url parameters, but to get the encrypted string with signs "/", "+".
How I can avoid those signs.?
thanks
CodeHobo
All-Star
18647 Points
2647 Posts
Re: How to prevent a user navigate through my website by manipulating the url?
Apr 25, 2012 05:35 PM|LINK
You have to UrlEncode your parameters.
http://msdn.microsoft.com/en-us/library/zttxte6w.aspx
Blog | Twitter : @Hattan