Hide url routing parameters in asp.net mvc

Question

Is there a method for specifically hiding the routing parameters in ASP.NET MVC from the users. Specifically, I'd like a link

http://sitename.com/Do?title = 2 to simply become http://sitename.com/Do

but internally pass the titleId to my controller.

Is that do able?

Thanks

Update: yes, there are buttons on my webpage that currently have such as their href, but I'd rather hide all the parameters so users dont go to other parts of the page directly by trying differnt parameters. @Moshe, no its not a from submit or post else I'd have used a strongly typed view. Thanks

Answer 1

As long as your parameters are on the client, they are never 'hidden' unless you encrypt them. You could store the parameter in a hidden field and set the action method to post, then the value is not visible in the URL. But a user with a little bit of knowlegde about web could still manipulate the hidden field (unless you encrypt the value in some way).

EDIT: If it has to be save you have to check the user's credentials on the server. Otherwise you can obscure the data like in the other sample or you can use encryption, e.g. with ProtectData.Protect(...).

Answer 2

For simple numeric values that have to be passed back and forth to a view you can write two private methods in your controller:

private int Obscure(int source) {
    return (source*source) * 3; //or something clever you come up with
}

private int DeObscure(int obscuredValue) {
    return (int)Math.Sqrt(obscuredValue / 3); //inverse the Obscure method
}

You can use these to obscure values before you pass them to a view, and de-obscure them after you get them posted back. Mind you, this is really not a good way to implement security, as is explained in this stackoverflow post.

Another option is to create an Obscure/DeObscure procedure that takes in the entire querystring and somehow mangles that back and forth. This would required writing a custom ViewEngine though. Sounds interesting...