Secure to store an ID in an ASP.NET control ID?

Question

I'm auto-generating a form in my ASP.NET page. This is already tested and working. I want to know if:

1. If there are any security problems with storing the database ID as part of my controls ID? I can see think of 2 issues: the id will be visible in page source (not really important in this case), and the possibility someone could change the name of the control somehow? This second possibility is more serious. Is this a potential problem and how to void it?

2. If there would be a better preferred way to associate a unique data with any type of control? Is it possible to store a custom item in the viewstate for the control?

Answer 1

You can create your own custom controls, inheriting from TextBox, for example. Create properties that store data in the ViewState. That is the fastest and simplest way for me to achieve the result you're needing.

Answer 2

just save them in the viewstate

viewstate["DB_ID"] = datarow("ID")

Answer 3

You can use hiddenfield. Or best way is store your ID in Session. Sessions are really secure.

Answer 4

don't store anything database related in your page. you are giving people knowledge of your system that should be hidden from view.

if you must store a database id, store it in the session or put it into your web.config file.

Answer 5

There's nothing wrong with using a database ID in a page. Just look at the URL of this page or nearly any other MVC-style site. It is not a security risk in itself unless your system is vulnerable to SQL injection attacks - and if it is, then you have bigger problems to worry about.