In mvc, when submitted to a controller, how can I verify that a user hasn't maliciously changed readonly hidden form fields?
Asked
Active
Viewed 213 times
2 Answers
2
When displaying the form fields render a hidden field that contains a hash for the displayed values.
When receiving the post request hash the received data again and compare this hash to the value of the hidden field.
Mathias F
- 15,906
- 22
- 89
- 159
-
As more people suggest, I realize it may be the right thing to do.. Can you link to some info regarding this system? – Tal l May 08 '12 at 20:17
-
Try this http://stackoverflow.com/questions/1757419/check-if-the-user-changed-data – Mathias F May 08 '12 at 20:24
1
Two options I can think of:
- Encrypt the fields when displaying them, then decrypt server side and use the value
- Don't store sensitive information in hidden fields and instead store them in the session (recommended)
Omar
- 39,496
- 45
- 145
- 213
-
tnks. sessions considered and disqualified, because it reveals a different kind of data disruption threat. For ex, in case of using more than one browser at a time. – Tal l May 08 '12 at 14:45
-
Can you explain what you mean when using more than one browser at a time? If you're using more than one browser at a time you can still store things in the session. – Omar May 08 '12 at 15:30
-
Sure I can. By saying more than one I mean through another tab, or even a new browser window. consider the following scenario: in order to construct an entity with quite a lot of information, I need to performe a sequence of forms submitting. Every time I return a view from a controller, I need to pass some id's about the not yet established entity. If you're working with more than one browser tab, they both pass the same session... – Tal l May 08 '12 at 15:51
-
Of course, by saying "If you're working with more than one browser tab" I mean on two different entities ... – Tal l May 08 '12 at 15:58