How to hide SSRS ReportViewer URL following a form with POST method

Question

I'm trying to use SSRS URL access (http://mydomain.com/ReportServer?/Reports ....) such that the URL with hidden report parameters is never visible in the browser.

Many references suggest that simply encapsulating the Report/Server url within a form with method=post will do the trick.

While the form posts without showing an param in the URL, when the SSRS ReportServer responds to display the form, it unfortunately puts something like this in the browser command box:

http://localhost:8080/ReportServer_SQLEXPRESS/Pages/ReportViewer.aspx?/Reports/MyReportTest&rs%3aCommand=Render&rc%3aLinkTarget=_blank&rs%3aFormat=HTML4.0&rc%3aParameters=false&Id=1

This is useless, because one can simply hack the trailing "Id=1" and make it anything.

Any pointers on how to get around this?

Answer 1

You can use JavaScript to have the report open in a new window with the address bar hidden.

It is still very simple for a user to find the URL and change the ID but at least this workaround makes it ever-so-slightly more difficult and less savvy users won't be tempted to change the ID.