CODEWITHSUNDEEP
c#asp.net-mvcrazor
Sreepathy Sp
Sreepathy Sp

Reputation: 408

Pass url with hidden parameter in url.action

Is there any way to hide parameter and pass

window.location.href = '@Url.Action("index", "mycntroller")?at='+119nuju

Upvotes: 4

Views: 2831

Answers (3)

Reza Aghaei
Reza Aghaei

Reputation: 125197

Although you can use POST request or use coockies or request header or ... to prevent parameters being visible at first glance, but You should know hiding parameters will never help to increase security of your website. Because all parameters can be monitor in tools such as Developer Tools, FireBug, ... and there they are completely visible.

Hiding parameters usually is for better user experience and user can't see the parameters that is meaningless for him.

So it's better don't try to hide parameters when not required.

In cases that the value 119nuju is really important to you, don't pass it this way, instead consider encryption or use a key in TempData/Session for it and pass that key instead of that value. Then when the request come backs to server, retrieve the value by the key.

Important
If you used such ways (encryption, key, ...) it is still very important to check permission of user to see if 119nuju or any related resource is can be accessible for this user or not to prevent Insecure Direct Object References

Upvotes: 3

Noxious Reptile
Noxious Reptile

Reputation: 863

You can hide the values in header. but more coding is needed.still it s a good method. Search more about passing values in header.It s much more secure since the value is passed in the request header not in request body.It s much better than encryption also since even that method will show some random text in your url.To make it clean you can use this.

Upvotes: 0

Andi AR
Andi AR

Reputation: 2898

One way is cookie. You can hide by passing parameter value with cookies.

Set cookie in client side.

function SetCookie(name,value,days) {
    if (days) {
        var date = new Date();
        date.setTime(date.getTime()+(days*24*60*60*1000));
        var expires = "; expires="+date.toGMTString();
    }
    else var expires = "";
    document.cookie = name+"="+value+expires+"; path=/";
}
SetCookie('at','+119nuju',1);

Get cookie value on server side.

HttpContext.Request.Cookies["at"] != null // Check is exist
HttpCookie cookie = HttpContext.Request.Cookies.Get("at"); //Get cookie

Upvotes: 0

Related Questions