隐藏字段的prevent变化 [英] Prevent change of hidden field

问题描述

如果我有与用户的隐藏标识领域的ChangePassword形式。

What if I have ChangePassword form with hidden ID field of the user.

BadPerson知道GoodPerson的ID。他打开更改密码的形式与萤火虫，改变了他的身份证，以GoodPerson的ID，所以密码更改为GoodPerson。

BadPerson knows id of GoodPerson. He opens Change Password form with FireBug, changes his Id to GoodPerson's Id, so password changes for GoodPerson.

当然，我可以创造一些服务器逻辑，将prevent这一点，但我觉得应该有一些开箱即用解决方案，抛出至极如果隐藏字段被改变，至极我不知道。

Of course I can create some server logic that will prevent this, but I think there should be some out of the box solution, wich throws if hidden field been changed, wich I don't know.

感谢的提前。

修改
好吧，更改密码是一个坏榜样。任何编辑表单在那里我有ID的隐藏字段有同样的问题。

EDIT Ok, Change Password is a bad example. Any edit form where I have id in hidden field has same problem.

推荐答案

有什么，会让你知道，一个隐藏字段的值的值已经改变与否。对于用户更改其密码就意味着他需要进行身份验证。当使用窗体身份验证当前已验证用户的ID存储在一个加密的cookie不能被修改。

There is nothing that will let you know that a value of a hidden field's value has been changed or not. For a user to change his password it means that he needs to be authenticated. When using forms authentication the ID of the currently authenticated user is stored in an encrypted cookie which cannot be modified.

这是说，你不应该用来存储当前连接的用户隐藏字段。只需使用内置的 FormsAuthentication在ASP.NET 并从未存储机制这些信息中隐藏字段。顺便ASP.NET知道cookie的值没有被篡改的是，它具有的的machineKey 配置中指定。

This is to say that you shouldn't use hidden fields for storing the currently connected user. Just use the built-in FormsAuthentication mechanism in ASP.NET and never store such information in hidden fields. The way ASP.NET knows that the value of the cookie hasn't been tampered with is that it signs it with the machineKey specified in the configuration.

有与安全和认证打交道时，您应该遵循的一个重要原则：始终使用内置的安全机制，从来没有推出自己

There's an important rule that you should follow when dealing with security and authentication: always use built-in security mechanisms, never roll your own.

这篇关于隐藏字段的prevent变化的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！