stackoom
  简体   繁体   中英

How to change the URL display in Visual Studio asp.net?

 原文  2018-01-17 17:32:50       c#/ asp.net-mvc/ visual-studio

Question

I am trying to figure out how to change the URL that the end user sees so that when a customer logs in and are authorized to visit a page, they can't jump from spot to spot by changing the customer ID.

In essence, when a customer logs in they should be able to see all of their listings, but I don't want them to be able to jump to other customer's listings simply by changing the id in the URL. What is the best way to go about this? 

    [Authorize]
    public ActionResult ViewPets(int? id)
    {
        if (id == null)
        {
            return RedirectToAction("OwnerLogin", "Login");
        }[enter image description here][1]


        IEnumerable<Pet_Owners> pets = db.Database.SqlQuery<Pet_Owners>("SELECT PetID, Pet_Type, Pet_Age, Pet_Weight, Pet_Sex, Pet_Description, Owner.Owner_FirstName, Owner.Owner_LastName, Owner.Owner_City " +
            "FROM Pet INNER JOIN " +
            "Owner ON Owner.OwnerID = Pet.OwnerID " + 
            "WHERE Owner.OwnerID = " + id);

        return View(pets);
    }

this is what the URL looks like: http://localhost:52509/PetOwner/ViewPets/2

1 answers

solution1
 0 ACCPTED  2018-01-17 17:42:10

There are three items to consider when you want to authorize someone to see a specific record:

  1. Record level authorization at the database level (pass in a username to a stored procedure return an error if they do not have access) This also allows for additional security. With the required parameter of a user, it can also can go to the extent to check if the user has access to the record, checks if the the user even exists and/or has particular privileges to perform an action on a record or object. The only change in code is additional params passed to the database in a manner that suits your specific needs. This solution is agnostic.
  2. Authorize particular users to a page and or to certain BI functions in code by implementing a business framework or using an existing framework

  3. Hash the ID using for example purposes only a class that looks like this (to further increase security... ie hide the database ID) or if both points 1. and 2. are not applicable and you wish to prevent the user from just entering any ID and likely guessing it: 

     public static class QueryCrypto { private static byte[] Key = new byte[24]; static QueryCrypto() { (new RNGCryptoServiceProvider()).GetBytes(Key); } public static string Encrypt(string toencrypt, string key = "", bool usehashing = true) { if (key.Length == 0) key = Key.ToString(); byte[] keyArray; // If hashing use get hash code regards to your key if (usehashing) { using (var hashmd5 = new MD5CryptoServiceProvider()) { keyArray = hashmd5.ComputeHash(Encoding.UTF8.GetBytes(key)); } } else { keyArray = Encoding.UTF8.GetBytes(key); } // set the secret key for the tripleDES algorithm // mode of operation. there are other 4 modes. // We choose ECB(Electronic code Book) // padding mode(if any extra byte added) using (var tdes = new TripleDESCryptoServiceProvider { Key = keyArray, Mode = CipherMode.ECB, Padding = PaddingMode.PKCS7 }) using (var transform = tdes.CreateEncryptor()) { try { var toEncryptArray = Encoding.UTF8.GetBytes(toencrypt); // transform the specified region of bytes array to resultArray var resultArray = transform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length); // Return the encrypted data into unreadable string format return Convert.ToBase64String(resultArray, 0, resultArray.Length); } catch (Exception) { return string.Empty; } } } public static string Decrypt(string todecrypt, string key = "", bool usehashing = true) { if (key.Length == 0) key = Key.ToString(); byte[] toEncryptArray; // get the byte code of the string try { toEncryptArray = Convert.FromBase64String(todecrypt.Replace(" ", "+")); // The replace happens only when spaces exist in the string (hence not a Base64 string in the first place). } catch (Exception) { return string.Empty; } byte[] keyArray; if (usehashing) { // if hashing was used get the hash code with regards to your key using (var hashmd5 = new MD5CryptoServiceProvider()) { keyArray = hashmd5.ComputeHash(Encoding.UTF8.GetBytes(key)); } } else { // if hashing was not implemented get the byte code of the key keyArray = Encoding.UTF8.GetBytes(key); } // set the secret key for the tripleDES algorithm // mode of operation. there are other 4 modes. // We choose ECB(Electronic code Book) // padding mode(if any extra byte added) using (var tdes = new TripleDESCryptoServiceProvider { Key = keyArray, Mode = CipherMode.ECB, Padding = PaddingMode.PKCS7 }) using (var transform = tdes.CreateDecryptor()) { try { var resultArray = transform.TransformFinalBlock(toEncryptArray, 0, toEncryptArray.Length); // return the Clear decrypted TEXT return Encoding.UTF8.GetString(resultArray); } catch (Exception) { return string.Empty; } } } }

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Change Visual Studio ASP.NET HTTPS Certificate How to display ASP.NET Charts (Framework 4.0) on Visual Studio 2010? How do I display an image in a web form in asp.net Visual Studio? how to Change the url of page asp.net? How to change ASP.NET Core build platform in Visual Studio 2015 how to publish the visual studio asp.net solution? How to run ASP.NET project connecting Visual Studio with github How to organise Views into folders in Asp.net visual studio? How to debug ASP.Net MVC in Visual Studio 2019 How to Create an ASP.NET MVC 4 project in visual studio 2015
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM