0

I have written the code for preventing user Authentication in my GET Method like below

if (!string.IsNullOrEmpty(Session["UserName"].ToString()))
            {
                MyConnection mycon = new MyConnection();
                string str = "";
                int res = 0;
                if (Request.QueryString.ToString().Contains("ID1"))
                {
                    str = "Delete from PostTable where PostID=" + Request.QueryString["ID1"];
                    res = mycon.IODPost(str);
                }
                return View(AllPostList());
            }
            else
            {
                return RedirectToAction("Home", "Home");
            }

but when i press Back button in browser after signout, the page is postback to the previous page which can't be done.. so what should i do to prevent this?

Abhay Andhariya
  • 1,699
  • 3
  • 14
  • 23
  • 1
    You have a SQL injection vulnerability. – SLaks Jul 19 '13 at 14:28
  • 1
    Do not delete things from a GET request. – SLaks Jul 19 '13 at 14:28
  • Also don't use Session for authentication (look up session hijacking), and look at using AuthorizeAttribute or similar, or you are going to have this all over the place – RichardW1001 Jul 19 '13 at 14:37
  • 1
    To reiterate @SLaks there are two problems right off the bat. Please read up on [SQL Injection](http://msdn.microsoft.com/en-us/library/ms161953(v=sql.105).aspx). You shouldn't have a GET method for deleting items, that should be POST. Here's a good [explanation of the difference between the two](http://stackoverflow.com/questions/3477333/what-is-the-difference-between-post-and-get). For the postback question, where/when is this function being called? – tokyovariable Jul 19 '13 at 14:37
  • Finally, security is _hard_. Don't reinvent the wheel; use existing proven solutions. – SLaks Jul 19 '13 at 14:59

1 Answers1

0

so there are several bad practices in your example.

  1. be aware of sql injection - use ADO.NET SqlCommand and SqlCommandParameter classes to create queries.

  2. ASP MVC has attributes like [Authorized] , [AllowAnonymous] that can guid your app workflow for each request. You can add these at the controller lever, or method level.

  3. Check for null againts "Session["UserName"].ToString()"

Some links :

http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters.aspx

http://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.108).aspx#using_authorizeattribute

hope this helps

Alex Peta
  • 1,377
  • 1
  • 14
  • 25