与MVC preventing URL处理攻击？ [英] Preventing Url manipulation attacks with MVC?

问题描述

任何一个好的策略，code段等为preventing URL处理？

Any good strategies, code snippets etc for preventing URL manipulation?

例如我有这个网址，的http：//本地主机/型材/编辑/ 5 的ID可以很容易地改变任何东西，因此人们可以编辑自己的个人资料不应该太。

For example I have this url, http://localhost/profile/edit/5 the id could easily be changed to anything and thus people could edit profiles they are not supposed too.

下面有一些想法我想到了，但他们都没有缺点：

Here are a few ideas I thought of but they all have there drawbacks:

1. 更改我的系统使用GUID主键 - 使得它几乎无法猜测的钥匙 - 但是人们仍然可以从应用程序的一部分采取GUID，并在另一个URL后用它

1. Change my system to use GUID primary keys - makes it almost impossible to guess the keys - but people can still take the GUID from one part of app and use it in another url later.

使用TempData的存储密钥 - prevents的URL被各地\\用于发送
更高版本。

Use TempData to store the keys - prevents urls being sent around\used later.

在显示页面之前，控制器执行检查 - 意味着你
要做adminy'code无处不在
检查行动。

Perform checks in the controller before displaying page - means you have to do 'adminy' code everywhere to check operations.

最新最好的事是什么？其中的一个或别的东西吗？

Whats the best thing to do? One of these or something else?

推荐答案

3号是做正确的事。服务器端安全验证始终是你需要的，因为这是你完全控制和可以依靠的机制。

Number 3 is the correct thing to do. Server-Side Security Validation is always what you need, because this is the mechanism that you completely control and can rely on.

1号是隐藏的安全，如果有人不小心他的职位地方的网址（如人们常常用会话ID的做时，他们复制/粘贴链接），你的安全性被打破了。

Number 1 is Security by Obscurity, and if someone accidentally posts his URL somewhere (like people often do with Session-IDs when they copy/paste links), your "Security" is broken.

2号似乎是一个脆弱的安全 - 如果你通过的麻烦，更好地实施适当的安全。这还让不让人书签的页面。

Number 2 seems like a weak security - if you go through the hassle, better implement proper security. That also allows people to bookmark the page.

这篇关于与MVC preventing URL处理攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！