1

In site, when User edit own info I do hidden his ID. But, I saw it is riskfull in this link : Malicious hacker can alter a hidden . The second way, I think to save current logged user's ID in cookie. Can anyone change ID' value in cookie and edit info of other user?

If yes, which way can you advise me ?

Community
  • 1
  • 1
Jeyhun Rahimov
  • 3,621
  • 6
  • 41
  • 85
  • 1
    rule #1: Never trust any user input. , so do check in server side. if you want to save data, then use Session objects http://www.sql-server-performance.com/2012/preventing-parameter-tampering-in-asp-net-mvc/ – Ravi Gadag Feb 11 '13 at 13:04

1 Answers1

1

You have to use your authentication mechanism every time. If you have implemented it correctly and always retrieve the user ID from there instead of the posted form values, you don't have to worry about it.

Most websites use Forms Authentication and some ASP.NET MVC project templates come with ready-to-use implementations. If you don't need a custom implementation, it's safer to use them.

Community
  • 1
  • 1
Ufuk Hacıoğulları
  • 36,026
  • 11
  • 106
  • 149
  • I have ignored default membership of MVC4 and dont use Forms Authentication. I save Username and crypted Password in cookie. – Jeyhun Rahimov Feb 11 '13 at 13:32
  • Then you have to make sure your implementation is robust and secure. How do you encrypt those values? How secure is your key? It's a lot of risk if you are not really certain about what you are doing. What is your reason for not using an existing, proven implementation? – Ufuk Hacıoğulları Feb 11 '13 at 13:39
  • I crypt and encrypt password with hashed salt. I added additional properties to User table and combine 2 DB contexts, User table is also within my DB context, that is why I ignored default WebSecurity of MVC 4. – Jeyhun Rahimov Feb 11 '13 at 13:43
  • I think Membership Provider can handle adding extra columns to User table. Anyway if you assume your authentication mechanism is safe and you get the user ID from there each time, you don't have to use form values and don't have to worry about somebody tampering it. – Ufuk Hacıoğulları Feb 11 '13 at 13:49
  • @Mores Since you encrypt cookie value, nobody other than you would be able to unencrypt it and change its value. – Ufuk Hacıoğulları Feb 11 '13 at 15:09