Reputation: 1861
Securing ASP.NET MVC Action Parameters
(ASP.NET MVC 4.5) Imagine you have a model for a bank or a company that has IDs that are sensitive information such as an account number or some other personally identifying information. What is the best way, or at the least what are some strategies, to route the edit/display actions without placing this information in the URL.
Obviously this would be bad:
https://goliath-natinal.com/Accounts/Edit/954321
if 954321 is your bank account number.
I imagine one way of doing this would be to add a GUID to each account that acts a a surrogate key. But I'm very curious to know if there are any possibilities for doing something if you cannot change the database at all.
Upvotes: 1
Views: 437
Answers (1)
Reputation: 165
Just throwing some ideas out here...
You could encrypt your identifier using Rijndael or some other type of encryption. You could salt and hash it based on other identifying fields related to the account. You could do that on the fly. You'd take a processing hit though.
If you're using a memcache or azure caching you could create a map of accounts to guids and let that just sit in the cache. If allowed, in the DB you could create a separate mapping table that maps the account to a new guid.
Can you give more info on the full restrictions? I.E. Is the table restricted from change, or the whole DB? Could you create a new DB?
Upvotes: 1
Related Questions
- Authenticate WEB API request with action params
- MVC protecting accessing some action
- Securing ASP.NET MVC3 Controllers/Actions
- ASP.NET MVC POST action request protection
- Securing ASP.NET MVC controller action which returns JSON
- Secure ASP.NET MVC calls to controllers
- MVC3 URL parameters - avoiding malicious attacks/security flaws
- ASP.NET MVC: Securing actions based on parameter values
- ASP .NET MVC Securing a Controller/Action
- Securing controller action in ASP.NET MVC