0

First of all, thanks a million for all the help. I really do not know how to write this in Google, so here it goes. I'm currently concerned about a method I'm implementing in my web app. I'm using ASP.NET MVC 5 with EF6 and Identity 2.

There are many times in which I need to pass a specific row ID from a View to a Controller. The best approach I've come up with is to put it into a hidden form encrypted.

Here is the code I'm using:

 public class StringEncrypt : IEncrypt
{

    public Func<string> GetUserID;
    public StringEncrypt()
    {
        GetUserID = () => HttpContext.Current.User.Identity.GetUserId();
    }

    private string Purpose = "The authentication token is";

    public string Protect(string unprotectedText)
    {
        var unprotectedBytes = Encoding.UTF8.GetBytes(unprotectedText);
        var protectedBytes = MachineKey.Protect(unprotectedBytes, Purpose + GetUserID);
        var protectedText = Convert.ToBase64String(protectedBytes);
        return protectedText;
    }

    public string Unprotect(string protectedText)
    {
        var protectedBytes = Convert.FromBase64String(protectedText);
        var unprotectedBytes = MachineKey.Unprotect(protectedBytes, Purpose + GetUserID);
        var unprotectedText = Encoding.UTF8.GetString(unprotectedBytes);
        return unprotectedText;
    }
}

I would later on get them back in the controller and check for any integrity problems.

I was suggested to avoid using hidden html forms because they could be easily cracked.

Unfortunately, they are also suggesting me to use Session[] which bumps into the following article: http://brockallen.com/2012/04/07/think-twice-about-using-session-state/

Which says that I should avoid the use of Session[] at all.

Also, this comment makes lots of sense:

Note that Session could introduce bugs when someone attempts to edit multiple forms at once in different tabs. When they save one, the Session value taken would be from the last one they loaded up to save... likely not what you will want, and it would likely be difficult to figure this out.

From here: https://stackoverflow.com/a/4224371/1057052

What is the recommended way to this?

Thanks a million!!

Community
  • 1
  • 1
Jose A
  • 10,053
  • 11
  • 75
  • 108
  • I don't understand exactly what you mean to do. If it's authentication, use a built-in library (for instance, Identity contains information about you and your password, but it's in a cookie that's encrypted server-side so it's like a black box to the client). Otherwise, you shouldn't be putting sensitive stuff in the form elements. The thing to do isn't really to move it into the session but to verify the user has access to whatever record he's changing; if so then "hacking" it by changing the page is just a roundabout way of doing what he's already allowed to. – Casey Jul 02 '15 at 17:13
  • Thanks @Casey. What I want is to track in a very effective way the row id's of some elements. Imagine if I have an order, that order has a client's ID, a Product's ID, and a User's ID. I can get the User's ID through Identity's cookies. But, I'm stuck on how can I pass the Product's ID and Client's ID from the view to the controller in a disconnected scenario. – Jose A Jul 02 '15 at 17:28
  • 1
    Then what you're doing is right. Use the hidden form elements. Yes, it's true that someone could alter the contents of what they send you by modifying those numbers themselves. However, if you ensure they can only ever do that with product and client IDs they are supposed to have access to, then all they can do in that way is create a tedious way to use the application just as you intended. – Casey Jul 02 '15 at 20:29
  • Excellent! One billion thank you Casey! I should always enforce a check on the Database for every value to prevent garbage on the same Database. – Jose A Jul 03 '15 at 14:47

0 Answers0