views:

47

answers:

3

I'm creating a ASP.NET MVC website and I was wandering which techniques do you guys use to protect primary key on these mvc urls.

Actually ASP.NET MVC generates this syntax for its urls:

/Controller/Action/Id

Last week I was trying to encrypt it using SHA-1 Encryption, but this encrypter generates some special symbols like + (plus), / (slash), and other annoying chars which difficult the decryption.

Perhaps creating a custom encryption should solve the problem. But I wanna here from you guys, do you have some ideas to protect mvc urls?

+1  A: 

The best (=only proper IMHO) way to protect the Primary Key is to have server side security checking if the current user is allowed to see it. The other usual option is using Guids which are hard to guess, but without server side validation it's still Security by Obscurity.

Michael Stum
That's exactly what we do in our application. Let people type in Account/Display/{notMyId} ... since you're logged into the system we know who you are, and you're not going to see anything info from an Id you don't own :)
Jedidja
nice, I'll have a go on Guid and make sure current user is allowed to see it. Thank you mike
Junior Mayhé
A: 

I don't see how you'd gain anything by protecting the primary keys, unless you are believer in "security by obscurity" (which is really the same as "little or no security").

Instead of hiding the actual IDs you should make sure that a proper security model is in place to make sure that people doing URL hacking cannot access records they're not allowed to see.

Morten Mertner
A: 

To answer your question directly: Any method of encrypting the Id is best done using a proven crypto method, like the SHA-1 in the framework. You can prevent the illegal characters from interfering using UrlEncode.

That being said, I would consider using server side security to verify that the user can access the object the querystring designated, rather than trying to obscure the actual PK.

Matt Murrell