Menu
In ASP.NET MVC (default routing),I'd like to use a URL like this to return a View with a form to edit a customer:
/Customers/Edit/5 I need to make use of CustomerId=5, but I don't want to permit a customer to change it.Right now I make the id hidden using:
<%= Html.Hidden("CustomerId") %> This accomplishes what I want,but I'm under the impression that hidden form variables are not secure and can be manipulated by the end user.
So, what's the best way to allow a customer to edit their information but not their ID?
849
Overview. Hidden fields allow developers to process application data without having to display it on the screen. Using hidden fields to pass data in forms is a common practice among web applications and by itself is not a security risk. However, hidden fields are not secure and can be easily manipulated by users.
The <input type="hidden"> defines a hidden input field. A hidden field let web developers include data that cannot be seen or modified by users when a form is submitted. A hidden field often stores what database record that needs to be updated when the form is submitted.
MVC provides a lot of infrastructure support for Forms Authentication. Forms authentication is highly customizable, you can customize everything from the sign in form, to where the credentials are stored and how those credentials are validated. Forms Authentication in ASP.NET relies on cookies by default.
My solution was to use the Tamper Proofing code from Steven Sanderson's ASP.NET MVC book. The idea is that you create a hash of any hidden form field you want to tamper proof:
<%= Html.Hidden("CustomerId") %> <%= Html.Hidden("CustomerIdHash") %> When the form is submitted, Steven's code then computes another hash of CustomerId and makes certain it equals CustomerIdHash. If it does, then no tampering has occurred. It's great code, and worth the price of the book.
140
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With