在ASP.NET MVC的URL保护标识 [英] Protecting IDs on a URL in ASP.NET MVC
问题描述
我在ASP.NET MVC一个典型的CRUD应用程序的工作,其中将有多个用户帐户,每次都会有一批项目。
I'm working on a typical CRUD application in ASP.NET MVC where there will be multiple user accounts and each will have a number of items.
当一个用户正在编辑一个项目,他们会做它的URL,如 /编辑/ 5 ,其中重$ P $数psents行的ID在数据库中。
When a user is editing an item, they will be doing it on a URL such as /edit/5 where the number represents the ID of the row in the database.
我有一个用户只需更改ID到其他用户的项的ID,并能够改变它的一些担忧。为了保护ID,下面的解决方案已经发生,我:
I have some concerns about one user simply changing the ID to the ID of another user's item and being able to change it. To protect the ID, the following solutions have occurred to me:
- 进行加密,这样就不能轻易改变 - 但是我当然得有code每次回发到解密 。
- 更改数据库架构,这样一个GUID也是ID旁边的产生,这是使用的URL。
-
保留读取ID为是,包括登录用户的用户名在该项目查询,以便查询看起来像:
- Encrypt it so it can't be easily changed - but then of course I have to have code to decrypt it each time it posts back.
- Change the database schema so that a GUID is also produced beside the ID and this is used in the URL.
Leave the readable ID as is and include the logged in user's UserID in queries for the item so that queries would look like:
database.Items.SingleOrDefault(C => c.UserID == [当前登录的用户ID]和放大器;&安培; c.ID == ITEMID);
database.Items.SingleOrDefault(c => c.UserID == [currently logged in user ID] && c.ID == itemID);
也许有一个更好的办法还是我没有想到的一种方式。什么是防止这个问题你preferred方法?
Maybe there's a better way or a way I have not thought of. What is your preferred method for protecting against this issue?
推荐答案
绝对是第三个解决方案。获取登录的用户ID从加密的cookie(参见 FormsAuthentication ),并用它在SQL查询来验证项目属于用户
Definitely the third solution. Get the logged in user id from an encrypted cookie (cf. FormsAuthentication) and use it in the SQL query to verify that the item belongs to the user.
这篇关于在ASP.NET MVC的URL保护标识的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
