在ASP.NET MVC ViewModel中存储模型ID，安全性问题 [英] Storing Model ID in ASP.NET MVC ViewModel, Security issues

问题描述

在我的MVC应用程序中，我有一个页面供用户编辑其帐户详细信息，例如电子邮件地址，密码等.在我的数据库中，用户表保存此数据，主键为UserId.

在我创建的ChangeAccountDetails视图上，我传递了一个ViewModel，其中包含用户应该能够在其帐户上修改的数据.我还将UserId存储在ViewModel中，该ViewId呈现到我的实际视图中的隐藏字段中.我担心这是不安全的，因为在执行保存已更改数据的POST操作时，我的服务层将加载刚刚由ViewModel中发回的UserId更改的User帐户详细信息的持久版本.

我已经使用Fiddler更改了POST请求，并将UserId更改为数据库中另一个User记录的UserId，这可能会带来严重的问题，因为有人可能会以这种方式更改他人的密码和/或其他详细信息.

请有人建议我在使用ViewModels时如何避免此类问题.是不是在这种情况下使用Session是唯一方法(我知道最好避免使用Session，但是为此呢?)?

解决方案

我通过加密的sessionKey方法执行此加密密钥，该密钥保存用户详细信息(例如ID等).ID的隐藏字段在表单上始终为零，并且更改为我的user.UserId的ID.

我有一个用户模型(用户)，并且该模型中填充了会话中的解密数据，这就是我处理用户级别等的方式.

我未加密的字符串如下所示:userid ||电子邮件|| datetimelogin || users-GUID ||实名||用户级别

然后使用位于255处的私钥对其进行加密.

虽然我想大多数情况下，很容易忘记人们可以摆弄ID，但这只是一个思想，很好的观点.

zasz的上述想法也是完全正确的，但是您必须构建一个视图模型来考虑GUID的额外字段并考虑缺少的UserId字段.

In my MVC application I have a page for a user editing their account details such as email address, password etc. In my database a User table holds this data and the primary key is UserId.

On the ChangeAccountDetails view I have created I pass a ViewModel with the data the user should be able to modify on their account. I also store the UserId in the ViewModel which is rendered into a hidden field on my actual view. I have a concern that this is not safe for the reason that on POST action to save the changed data, my service layer loads the persisted version of the User account details that have just been changed by the UserId sent back in the ViewModel.

I have used Fiddler to alter the POST request and changed the UserId to the UserId of another User record in my database, this can have serious problems as someone could potentially change someone elses password and/or other details this way.

Please could someone advise on how I could avoid such a problem when using ViewModels. Is it that using Session in this case is the only way(I know using Session is best avoided but what about for this purpose)?

解决方案

I do it through a method of encrypted sessionKey this encrypted key holds user details such as ID etc. the hidden field for ID is always zero on the form and this is changed to the ID of my user.UserId.

I have a user model (user) and that model is populated with the decrypted data from the session it is how i deal with userlevel etc.

my unencrypted string looks like this: userid||email||datetimelogin||users-GUID||Real Name||userlevel

this then gets encrypted with there own private key at 255.

Just a thought, good point though i guess for most it is quite easy to forget that people could fiddle with the ID.

the idea above by zasz is perfectly valid too but then you would have to build a view model to account for the extra field of GUID and to account for the missing UserId field.

这篇关于在ASP.NET MVC ViewModel中存储模型ID，安全性问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！