开发者

CustomerId and Request.QueryString in ASP.NET

Request.QueryString is not very safe. Incase someone is logged in. Just by typing in the URL

myaccount.aspx?custId=10

One can get the information of anot开发者_运维知识库her Customer.

So its not safe at all. The reason for posting this was because, I wanted an alternative way of passing customerId between pages. Perhaps encrypt it?


Really for myaccount.aspx you shouldn't need to a user to pass their ID in as a parameter.

As others have said, use Membership. Or create a hash (an encypted value) of a user's ID and password and save that as a cookie or in the session object. You can read that instead of an input parameter.


Query strings are safe and are not flawed.

What is flawed and unsafe is trusting user input data. It is your responsibility to verify the data being sent to the server is not malicious and that the requested action is allowed for the logged in user.

You should take that query stirng value, make sure it is the valid type (your example appears to be an integer) and then before fetching the customer's data, make sure the user is allowed to access that customers data.


That's not the responsibility of the QueryString. You should implement an authenication and authorization system, preferably with a MembershipProvider and RolesProvider.


It does what it's supposed to do. It is up to you to secure your site. No one said everything in the querystring is used for sensitive access related functionality.


There is no safe way to pass it. Once the user has logged in, store the ID in Session or something equivalent, then always take it from there.


You can check asp.net membership


You should be using ASP.NET security to authenticate and authorize customers so that the logged in user is checked to see if they have access to the customer ID specified in the query string.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜