Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Best way to ensure logged in users only see their data

Tags:

security

asp.net

asp.net-mvc

asp.net-mvc-3

This is going to sound like a stupid question, but I just wonder if I'm missing a trick anywhere.

Scenario is, I have a web application using Simple Memebership, where users can register to use it (invoice program for example).

However, they should only be able to view/update/remove information that they themselves add to the database/web app.

What is the best way to ensure the user only gets acces to their information?

Is it to add a Username field to every table, eg:

public class Invoice
{
     public int InvoiceId { get; set; }
     public int CustId { get; set; }
     public string UserName { get; set; }
}

public class Item
{
   public int ItemId { get; set; }
   public int InvoiceId { get; set; }
   public string UserName { get; set; }
}

...and then in any controller that accesses the data, simply add a check for the username within every query, eg: 

var Inv = db.Invoices.Where(x => x.UserName = User.Identity.Name);
var Itm = db.Items.Where(y => y.UserName = User.Identity.Name);

That is what I'm using currently, but wondered if this is best practice? Or if there is a simpler way now we're onto MVC4?

Is it best to use UserName or UserId from the UserProfile table, or does it matter?

Update to add clarity following comments

So 10 users have registered - and all created their own invoices. I don't want any user seeing any other users invoice.

Thanks for any advice.

Mark

like image 882
Mark Avatar asked Apr 19 '13 11:04

Mark

Video Answer

1 Answers

Things i would do are:

  1. Avoid passing in any form of user id/credential in post/query string, hold it somewhere secure, like encrypted in a cookie, and always user this when building your queries

  2. If you have Ids passed back to your program as part of an edit, make sure the values have not been tampered with, if you output the id in a hidden field, make sure it is the same when it comes back as it went out (direct reference attack this is called)

  3. if your application requests an edit, such as client/edit/4, always ensure that id 4 belongs to that user before displaying it.

Some good reading here on the top 10 vulnerabilities: https://www.owasp.org/index.php/Top_10_2010-Main

like image 65
Slicksim Avatar answered Sep 21 '22 13:09

Slicksim
Sign in to Comment

Related questions

Rejecting Ajax JSON based post with html
Using a variable in the x y sort
Retrieve data from a website via Visual Basic
Convert TimeSpan to float
findcontrol does not find dynamically added control which was just addes one line before
Best practice when overriding Render methods on Asp.net WebControls, UserControls, Controls
error while upgrading to EL 5 'Microsoft.Practices.EnterpriseLibrary.Caching ..or one of its dependencies
How to create a custom aspx page in Umbraco?
JavaScript Error in Asp.Net MVC 4 Bundling
How do I get the current context or user identity from a separate .NET application?
Entity Framework 5 Method Query Roll Up
prevent iframe from redirecting parent page
How to add CDN to bundle.config in asp.net webforms bundling
How to add Querystring parameter from Code behind using javascript in asp.net?
Is a Timer Job the right tool for this job?
Searching through elmah error log files(Perhaps in 1000's)
How to pass credentials when accessing SSRS report through URL
asp.net core defaultProxy
Get HTTP status code descriptions in ASP.Net Core
Store update, insert, or delete statement affected an unexpected number of rows (0) EntityFramework [duplicate]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!