Reputation: 16239
Unable to prevent over posting using customer id
I have simple MVC application .
In Edit operation
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Edit(string CustomerId, [Bind(Include = "CustomerId,CompanyId,CompanyName,ContactName,ContactTitle,Address,City,Region,PostalCode,Country,Phone,Fax")] Customer customer)
{
var user = db.Users.Find(CustomerId);
if (user != null)
TryUpdateModel(user);
else
return HttpNotFound();
if (ModelState.IsValid)
{
db.SaveChanges();
return RedirectToAction("Index");
}
}
But When I do F12 and change hidden field value of
CustomerIdit is taking changedCustomerIdthat should not be done ?
I want to prevent this over-posting of CustomerId.
1.If CustomerId is changed using F12 then throw an error.
2.If CustomerId is correct not tamper then simply update all values
I'm getting exception :
An exception of type 'System.InvalidOperationException' occurred in EntityFramework.dll but was not handled in user code
Additional information: Attaching an entity of type 'MVCDemo.Models.Customer' failed because another entity of the same type already has the same primary key value. This can happen when using the 'Attach' method or setting the state of an entity to 'Unchanged' or 'Modified' if any entities in the graph have conflicting key values. This may be because some entities are new and have not yet received database-generated key values. In this case use the 'Add' method or the 'Added' entity state to track the graph and then set the state of non-new entities to 'Unchanged' or 'Modified' as appropriate.
Upvotes: 0
Views: 238
Answers (2)
Reputation: 10219
I think there are many ways to do this, the most simple that comes up in my mind will look like this.
Generate a
randomKey(can be Guid or something else) store thecustomerIdinSession[randomKey] = customerId, this is happening before you render the View containing the form.In hidden field store
randomKeyand when you make a post on server side takecustomerIdfromSession,customerId = Session[randomKey].
This way customerId will never be on client side and cannot be changed to post it on server.
Notes:
The user can change the
customerIdwith F12, remember that the user own the HTML and he can make any change he want.Maybe you can catch this change with javascript, but what happens if he disable the javascript and change the value?
Because the
randomKeyis stored inSession, the key has a limited time life and user cannot copy the key for a latter usage.
Upvotes: 1
Reputation:
One technique to prevent tampering of hidden fields to to include another hidden field containing a hash of the CustomerId value. Then in the POST method, you can compare the values and will know if its been tampered with.
This article discusses the technique including a custom html helper to generate the hidden input.
Upvotes: 1
Related Questions
- ASP.NET MVC changing post method to save userId
- How to prevent the visitor from tampering with the id field in POST action?
- Prevent multiple POST in asp.net mvc application
- How to prevent multiple posts on MVC3?
- ASP.net HTTP Post when auto-incrementing row Id
- Prevent user from posting duplicated data into the database
- Make MVC not post back one of the members in the model which is an interface
- .NET MVC preventing forged POST
- Preventing Over Posting in ASP.NET Webforms
- Model ID changes when passed to the HttpPost method