CODEWITHSUNDEEP
c#asp.net-mvc-3
Hari Gillala
Hari Gillala

Reputation: 11926

Hide QueryString MVC3 -ASP.NET

I am storing Vaues in RouteData as below.

new RouteValueDictionary(new { Controller = "Absence", Action = "AmendAbsence", Id = PersonGuidSelected })

I am getting the value form RouteData using the following RouteData.Values["id"].ToString()

this is okey, But the values are visible in the URL. I do not want the values to be seen in the URL.

How could I do that?

Is anyone did this before?

Upvotes: 1

Views: 1986

Answers (2)

Roy Dictus
Roy Dictus

Reputation: 33149

You could store it encrypted in the URL; simply encrypt every Querystring parameter. This has the advantage that your user can bookmark the page with the parameters (unless that is not what you want; then you can add expiration timing to your encrypted values, so that you can detect whether the URL has already expired).

Option #2 is to store your values, if you need to persist them from pageview to pageview, in encrypted non-persisted cookies on the client. You want them to be encrypted so that they cannot be read from the memory of the browser, and you want them to be non-persistent so that they do not get saved to a file. The user cannot bookmark the URL.

Option #3 is the least scalable, that is to store it in Session state on your ASP.NET server or on a State server. Either server should not be vulnerable, and therefore it is not necessary to use encryption here. But if your server is slow and/or you have a lot of visitors, this can slow down the machine. Again, visitors cannot bookmark the URL, because the parameters are not stored there.

Option #4 is to store a hash key in the URL, and to store the actual data related to that hashkey in memory or a database. Again, you have to see if this is practical in your case. Users may or may not be able to bookmark the URL, that's your choice -- if they can, then you'll need to keep a permanent record of the (hash key, values) pair.

Upvotes: 3

Darin Dimitrov
Darin Dimitrov

Reputation: 1039498

If this is sensitive data there are a couple of possibilities:

  • Store it in a session on the server.
  • Store it in an encrypted cookie on the client. You could use the userData part of the FormsAuthentication ticket if you are using forms authentication. This way it will be sent along each request. But if it is really very sensitive data storing it on the server would be better. Then use the authenticated username to retrieve this data wherever you stored it on the server.

If it is not sensitive you could use POST instead of GET so that the typical user doesn't see it in the URL.

Upvotes: 2

Related Questions