Last post Oct 31, 2010 12:11 PM by sjnaughton
Sep 23, 2010 07:56 AM|jrees|LINK
i am developing a multi-user website using Dynamic Data and wondered if someone could answer the following or provide advice:
what is the best way of protecting data so someone (who has a login to the site) cannot see records intended ONLY to be viewable by another valid user?
as far as i can see a user can simply tamper with querystring or url values (if using routing) and bring up the details of records they should not.
any help qould be gratefully appreciated. i am drawing a blank so far and the easiest option may be to back to a traditional asp.net site where i can control things simply by use of a Session variable (UserID)
Sep 23, 2010 08:45 AM|AlexanderB|LINK
you have to apply some authentification model to your site. Form authentification is something native for ASP.net applications, so go ahead :
Sep 23, 2010 08:49 AM|sirdneo|LINK
There are two level of access :-
1- Page Level
2- Data Level
We can easily protect user from accessing particular page through asp.net authentication and authorization mechanisim. For details see
this link. Also you can implement your own Session based protection model as mentioned in
As far data access, most common issue is tempring the Query string as you mentioend. To avoid that you can implement some query string encryption module through which you can assure that querystring is not tempered. Here is a sample for that which will give
you a quick start:-
Also try to avoid using Querystring for sensitive data and use session which is more secure.
Sep 23, 2010 09:28 AM|sjnaughton|LINK
Hi jrees, first of all which version of Dynamic Data are you using?
Sep 23, 2010 09:34 AM|jrees|LINK
I am using DD4 (VS2010 and .Net 4)
Sep 23, 2010 12:18 PM|sjnaughton|LINK
Hi jrees, the have a look at my article here Securing Dynamic Data 4 (Replay) where I provide a Dynamic Data Security sample.
Securing Dynamic Data
Dynamic Data 4
Sep 24, 2010 08:12 AM|jrees|LINK
many thanks to all who replied - i will do some investigations
Sep 24, 2010 11:30 AM|jrees|LINK
thanks for your reply. in your post you say:
"Also try to avoid using Querystring for sensitive data and use session which is more secure."
can you tell me how i do this for Dynamic Data sites where the querystring is used to pass the key information between the "virtual" pages?
Sep 24, 2010 11:59 AM|klca|LINK
If Dynamic Data's URL Routing does all of this then you should go for it. (If you were avoiding the query string passing arguments problems).
On the other hand, proper validation within your system MUST do the trick. It is up to you what should they see (let's URL Routing do its part too)
Carlos Porras (El Salvador)
Sep 24, 2010 12:30 PM|jrees|LINK
but unless someone can tell me otherwise, URL Routing CANNOT pass the key via a Session variable (or form variable). It can only reformat the url so a querystring is not necessary. For example:
but the info as to the key is still in the URL
or am i missing something?
Sep 24, 2010 07:19 PM|sirdneo|LINK
I think in this case you need to implement custom logic on per page basis. It will be hard to find a generalized workaround in this case.
Sep 25, 2010 05:23 AM|sjnaughton|LINK
Ho John, yes you are correct, to hide the data passed in the url you could Obfusticate it see this thread here
http://forums.asp.net/p/1541657/3758119.aspx#3758119 they mention
Passing Tamper-Proof QueryString Parameters
Tamper Proof Query String
Hope this helps [:)]
Oct 31, 2010 11:50 AM|gijigae|LINK
Could you please provide a link for DD1 Visual Studio 2008 and .Net 3.5 SP1 as well?
Oct 31, 2010 12:11 PM|sjnaughton|LINK
Ssorry Gijigae, those are the only links I have [:(]