How to stop user from changing querystring
How do I protect the url from a user changing one of the param/value pa开发者_高级运维irs?
Thanks.
You can't.
You need to validate them. You should make sure your page accepts only valid input for each of the parameters. "Valid" may mean many things, like "Does the user have access to view this" and so on.
You can add an HMAC hash of the querystring using a secure random key stored only on the server, then verify the hash on every request.
You could encrypt them or hash them and persist the real value cross request.
You can't. It's by definition an external interface. If your system's security depends on this, you should re-think how it's done.
Protect it and prevent from changing are two different things. You can't prevent them from changing it, but you can protect/verify.
精彩评论