我如何使用asp.net MVC4隐藏URL中的ID [英] how can i hide ID in URL with asp.net MVC4
问题描述
我的网址
http://www.domain.com/Products/ {别名}-{ID}
http://www.domain.com/Products/{Alias}-{ID}
我的路线
routes.MapRoute(
name: "ProductDetail",
url: "Products/{Alias}-{detailId}",
defaults: new { controller = "Products", action = "ProductDetail", id = UrlParameter.Optional }
);
在控制器中
public ActionResult ProductDetail(int? detailId)
{
var pro = db.Products.Find(detailId);
if (pro == null)
{
return RedirectToAction("Index", "NotFound");
}
return View(pro);
}
现在,我想像这样在我的网址中隐藏ID
Now, I want to hide ID in my URL like
我该怎么做
推荐答案
简短回答
无法做您想做的事.如果要从控制器访问detailId,则必须将detailId作为URL的一部分传递-您无法访问不存在的内容.
It is not possible to do what you want. In that if you want to be able to access the detailId from your controller the you must pass the detailId as part of your URL - you cannot access something that does not exist.
长期回答
还有其他一些方法可以使用户隐藏" detailId,以下是一些建议:
There are other ways to get around 'hiding' the detailId from the user, and here are some suggestions:
1.改用Alias:
您可以一起删除detailId并改用Alias值.但是,这将要求Alias值对于您要查询的产品是唯一的,并且所需的更改可能如下所示:
You can remove detailId all together and use the Alias value instead. This however will require the Alias value to be unique to the product you are trying to query, and the required changes might look like this:
routes.MapRoute(
//..
url: "Products/{Alias}",
//..
);
public ActionResult ProductDetail(string Alias)
{
var pro = db.Products.FindByAlias(Alias);
//...
}
2.使用POST请求:
另一种可以有效地从URL中隐藏detailId但仍允许将该值传递给控制器的解决方案是使用POST请求,其中将在POST请求主体中指定参数值.
Another solution that will effectively hide the detailId from the URL but still allow the value to be passed to the controller would be to use a POST request, where the parameter value would be specified in the POST request body.
但是,这样做的缺点是您不能简单地提供一个供用户单击的URL,并且对网站内的链接进行编码需要花费更多的精力.通常,对于MVC,提交表单时会发生POST请求,您也可以使用javascript ajax调用来进行POST请求.
The drawback of this however is that you cannot simply provide a URL for the user to click, and coding links within your site takes considerably more effort. Typically with MVC, POST request occur when a form is submitted, and you can also do POST request with javascript ajax calls.
此答案中的内容太多了,因此,如果您有兴趣,请进行一些研究,例如此处的信息.
This is a bit too much to go into in this answer so if you are interested then do some research, such as this question, or some generally info here.
3.加密detailId值:
现在,此选项不会从URL中隐藏detailId,但是如果您担心当前ID太用户友好,则可以加密"(宽松地使用)该值.例如,您可以将其转换为base64字符串,然后再转换回控制器中的int.这样会给您一个类似以下的网址:
Now this options doesn't hide the detailId from the URL, but if your concern is that the current ID is just too user friendly then you could 'encrypt' (used loosely) the value. For example you could convert to a base64 string, and then back to an int within your controller. This would give you a URL something like this:
http://www.domain.com/Products/{Alias}-MQ%3D%3D
此URL将1表示为detailId,您必须确保 URL使用此方法对值进行编码/解码.
This URL represents 1 as the detailId and you have to be ensure to URL encode/decode your values if using this method.
在这种情况下,Base64转换并不是真正的加密",任何半精明的用户都会注意到这一点,并且可以解决它.但是,如果您想采用这种方法,就可以轻松地使用一种更安全的2-way加密算法,只有服务器才知道加密/解密密钥.此处的缺点是只有服务器才能生成有效的URL,供您的用户单击".
In this instance, Base64 conversion isn't really 'encrypting' it, any semi-savvy user will notice this and could get around it. But you could just as easily use a more secure 2-way encryption algorithm if you wanted to take this approach, one where only the server knows the encryption/decryption key. The drawback here is that only the server will be able to produce valid URLs for your users to 'click on'.
在这一点上,值得考虑的是,如果您担心URL包含一个简单的数字ID过于用户友好,那么问题是:您为什么在乎?
At this point it is worth considering that if your concern is that the URL is too user friendly by including a simple numeric ID, then the question is: why do you care?
如果您担心用户可以简单地更改detailId值,然后访问他们应该有权访问的产品,那么安全性就更大.如果是这种情况,那么您的控制器应该负责任地进行验证,以确保用户有权访问他们尝试访问的产品,然后采取相应措施.
If you are worried the user could simply change the detailId value and then have access to products they should have access to, then you have a bigger problem with security. If this is the case, then your controller should be responsibly for validating is the user has access to the product they are trying to access, and then act accordingly.
所有安全性检查和验证应在服务器端进行,切勿依赖客户端代码或用户操作来为您执行此操作.
All security checking and validation should be handled server-side, never rely on your client code or user actions to do it for you.
这篇关于我如何使用asp.net MVC4隐藏URL中的ID的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
