Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Apr 02, 2010 05:02 PM|LINK
Stick a [Bind(Exclude = "CreatedByUserId")] attribute on the model type. This will prevent the binder from ever attempting to set that property. (This value will probably be default(TProperty) if you're creating a new object, or it will maintain its original
value if you retrieved the model from the DB as part of this action.) When submitting this updated object to your repository, the repository would have to be smart enough to compare the previously stored ID with the current user ID.
If you absolutely need to keep the CreatedByUserId around, you may want to consider sticking it in Session. As long as Session is stored at the server (the default configuration), it's tamper-proof by end users.
Also, MVC Futures also has Html.Serialize() and the [Deserialize] attribute, both of which can be configured to encrypt + sign the serialized contents. See
http://blog.maartenballiauw.be/post/2009/10/08/Leveraging-ASPNET-MVC-2-futures-ViewState.aspx for more information. The Sign + Encrypt parameter to these methods prevent inspection of and tampering with the generated data, but the data can still be replayed.
(You may also serialize a timestamp in the data to create a window after which replays are invalid, if you wish.)