如何隐藏url中的参数 [英] how to hide parameters in url

问题描述

我想要隐藏网址参数。

例如/default.aspx?id=23

这里我要隐藏参数ID，这样任何用户都无法更改url中的这个参数。

或者另一个是如果用户将id = 23更改为27，那么将显示相同的页面。这意味着无法更改id = 23的页面以更改url中的id。这是什么解决方案？

i want to hide url parameters.
for example /default.aspx?id=23
here i want to hide parameter id so any user cann't change this parameter in url.
or another is if user change id=23 to 27 then same page will be displayed.it means the page for id=23 could not be change for changing id in url. what is solution for this?

推荐答案

（1）使用表格并发布信息。这可能需要源页面中的其他代码，但不应要求目标页面中的逻辑更改（仅将Request.QueryString更改为Request.Form）。虽然POST不是不可能的，但它肯定不如使用QueryString参数那么吸引人。





（2）使用会话变量从页面到页面携带信息。与（1）相比，这可能是一项更大的工作，因为您需要考虑会话变量检查（例如，如果您经常检查状态，用户可能现在很难使用其后退和前进按钮进行导航） 。您还需要处理未启用会话cookie的情况（此解决方案对这些人不起作用）。





（3）在QueryString中使用编码或非感知信息代替实际数据。这将需要在所有页面提交的任一端创建编码和解码方案的努力。当然，用户仍然可以对您的方案进行实验和逆向工程，但是他们不太可能快速对现有的QueryString进行有意义的更改。





（4）使用框架集。我真的不推荐这种方法，虽然它很常见。如果您试图隐藏信息而不是更难以修改，用户仍然可以右键单击各个框架并单击属性，以便检索通过QueryString传递的所有信息。





（5）使用Server.Transfer将控件移动到第二页，该页仍然可以访问传递给第一页的QueryString参数（URL其中只是简单地看到了。



离开QueryStrings的一个问题是它们使你的网站更难使用。如果您依赖于（3）以外的任何方法，则用户不可能按原样为当前页面添加书签...他们只能以类似于只是键入URL的方式对页面添加书签的方式in（根据你构建页面的方式，可能甚至不起作用）。因此，在决定信息的敏感程度时，请记住这一点，以及您愿意在可用性与安全性之间取得多大的平衡。





同时查看这些页面;

http://www.codeproject.com/aspnet/urlrewriter.asp [ ^ ]

http://weblogs.asp.net/scottgu /archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspx [ ^ ]

(1)Use a form and POST the information. This might require additional code in source pages, but should not require logic changes in the target pages (merely change Request.QueryString to Request.Form). While POST is not impossible to muck with, it's certainly less appealing than playing with QueryString parameters.


(2)Use session variables to carry information from page to page. This is likely a more substantial effort compared to (1), because you will need to take session variable checking into account (e.g. the user might now have a difficult time navigating around using their Back and Forward buttons, if you are constantly checking state). You will also need to deal with the case where session cookies are not enabled (this solution will not work for these people).


(3)Use "encoded" or non-sensical information in the QueryString in place of the real data. This will require the effort of creating an encoding and decoding scheme on either end of all page submissions. Sure, users can still experiment and reverse engineer your scheme, however they will be less likely to quickly come up with meaningful changes to the existing QueryString.


(4)Use framesets. I really don't recommend this approach, though it is quite common. If you're trying to hide the information as opposed to making it more difficult to modify, users can still right-click the individual frames and click properties, in order to retrieve all of the information passed via QueryString.


(5)Use Server.Transfer to move control to a second page, which will still have access to the QueryString parameters passed to the first page (the URL of which was visible only briefly).

One problem with moving away from QueryStrings is that they make your site harder to use. If you are relying on any method other than (3), it is impossible for users to bookmark the current page as is... they can only bookmark the page in a way that resembles what would have happened if they had simply typed the URL in (which might not even work, depending on how you've constructed the page). So that's just one thing to keep in mind when deciding how sensitive your information really is, and how far you're willing to go in the balance of usability vs. security.


Also check these pages out;
http://www.codeproject.com/aspnet/urlrewriter.asp[^]
http://weblogs.asp.net/scottgu/archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspx[^]

隐藏网址的任何部分都非常可疑。这是用于网络钓鱼攻击的那种东西。



如果你查看为你的问题显示的网址它不使用id，它使用一个名字页。这是一个更好的方法。

Hiding any part of a url is highly suspicious. It is the sort of thing that is used in phishing attacks.

If you look at the url displayed for your question it does not use an id, it uses a named page. This is a far better way to do it.

0）您可以创建一个GUID字符串并将您的值放在字符串中的已知位置。



1）我认为你实际上可以隐藏查询字符串（不在地址栏中显示） - 谷歌是你的朋友。



2 ）谷歌asp.net单点登录

0) You could create a GUID string and place your value at a known position in the string.

1) I think you can actually hide the query string (not display it in the address bar) - google is your friend.

2) google "asp.net single sign-on"

这篇关于如何隐藏url中的参数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！