如何加密在ASP.NET MVC的网址? [英] How do I encrypt URLs in ASP.NET MVC?
问题描述
我需要加密的URL在我的ASP.NET MVC应用程序。
I need to Encrypt the URLs in my ASP.NET MVC application.
我是否需要写在全球页面code的路由集合来加密所有的网址吗?
Do I need to write the code in Global page in Route Collection to Encrypt all the URLs?
推荐答案
这是一个坏主意来加密的URL。期。
It's a bad idea to encrypt a URL. Period.
您可能想知道为什么我这么说。
You may wonder why I say that.
我的工作对于加密的URL其公司的应用程序。这是一个web表单的应用程序。单从网址,这是几乎不可能告诉我打造成这个问题是什么code的一部分。由于调用Web窗体控件的动态特性,你刚知道该软件是要下去的路径。这是相当令人不安。
I worked on an application for a company that encrypted its URLs. This was a webforms application. From the URL alone, it was nearly impossible to tell what part of the code I was hitting to cause that issue. Because of the dynamic nature of calling the webform controls, you just had to know the path the software was going to go down. It was quite unnerving.
添加到,有在应用程序中没有基于角色的授权。这是所有基于URL被加密。如果你能解密URL(这是否可以加密,也可以解密),那么你可以想见,输入另一个URL加密和模拟其他用户。我不是说这很简单,但它可能发生。
Add to that that there was no role based authorization in the application. It was all based on the URL being encrypted. If you could decrypt the URL (which if it can be encrypted, it can be decrypted), then you could conceivably enter another encrypted URL and impersonate another user. I'm not saying it's simple, but it can happen.
最后,你是否经常使用互联网,看到加密的URL?当你这样做,你死了一点点里面呢?我做。网址是为了传达的公共的信息。如果你不希望它做的是,千万不要把它放在你的网址(或要求授权为您的网站的敏感区域)。
Finally, how often do you use the internet and see encrypted URLs? When you do, do you die a little inside? I do. URLs are meant to convey public information. If you don't want it to do that, don't put it in your URL (or require Authorization for sensitive areas of your site).
您正在使用的数据库中的ID应该的ID是确定为用户看到。如果您使用的是SSN作为主键,那么你应该改变这种架构的Web应用程序。
The IDs you're using in the database should be IDs that are ok for the user to see. If you're using an SSN as a primary key, then you should change that schema for a web application.
任何可以被加密可以被解密,因此很容易受到攻击。
Anything that can be encrypted can be decrypted, and therefore is vulnerable to attack.
如果您希望用户只能访问某些URL,如果他们的授权,那么你应该使用 [授权] 在ASP.NET MVC属性可用。
If you want a user to only access certain URLs if they're authorized, then you should use the [Authorize] attributes available in ASP.NET MVC.
这篇关于如何加密在ASP.NET MVC的网址?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
