Menu
I am working on a Asp.Net MVC 3/knockout.js site for several users where they can save information about their websites Here is a simple version of the model
class{
string Id
string Name
string Url
string Description
}
I want to build a very responsive UI so all loading saving etc will be done through Ajax.
So the scenario is when a user has added som websites to his list and clicks save a json string is posted to an Actionmethod in a controller.
Everything works fine.
Problem is:
How can i ensure the user has not tampered with the id and is actually saving information about some other users website?
Id is of course hiddden, but any evil person with some web knowledge can easily change the id.
545
You should use authentication. Decorate the action that will perform the update with the Authorize attribute. This will ensure that the user that is sending the AJAX request is authenticated, and he cannot change his username. Then you will check in your database if the id of the site he is trying to update belongs to him. You will of course have a table that will contain the mapping between users and sites.
If the user tampers the site id and puts some value of a site that doesn't belong to him, you in the controller action will detect it when you perform the query to verify if a given site id belongs to a given username. He cannot tamper his username as it is stored in an encrypted authentication cookie, unless of course he signs in with a different username in which case he already knows the password.
104
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
