tags:

views:

35

answers:

2
+1  Q: 

Prevent change of hidden field

What if I have ChangePassword form with hidden ID field of the user.

BadPerson knows id of GoodPerson. He opens Change Password form with FireBug, changes his Id to GoodPerson's Id, so password changes for GoodPerson.

Of course I can create some server logic that will prevent this, but I think there should be some out of the box solution, wich throws if hidden field been changed, wich I don't know.

Thank's in advance.

EDIT Ok, Change Password is a bad example. Any edit form where I have id in hidden field has same problem.

+2  A: 

There is nothing that will let you know that a value of a hidden field's value has been changed or not. For a user to change his password it means that he needs to be authenticated. When using forms authentication the ID of the currently authenticated user is stored in an encrypted cookie which cannot be modified.

This is to say that you shouldn't use hidden fields for storing the currently connected user. Just use the built-in FormsAuthentication mechanism in ASP.NET and never store such information in hidden fields. The way ASP.NET knows that the value of the cookie hasn't been tampered with is that it signs it with the machineKey specified in the configuration.

There's an important rule that you should follow when dealing with security and authentication: always use built-in security mechanisms, never roll your own.

Darin Dimitrov  2010-05-15 13:14:55
I'll second that, don't try to do it yourself, use forms authentication, it takes care of all of that for you.
Doobi  2010-05-15 13:23:26
I would also like to add that when allowing the user to change their password, it's often a good idea to have them enter their current password along with the new password. This provides an extra point of validation that you can perform.
BradBrening  2010-05-15 13:24:55
Ok, but what if it's not a user, but some other object, for wich it's very convinient to store it's id. >There is nothing that will let you know that a value of a hidden field's value has been changed or notI'm not agree with this. Good old viewstate could :) There should be something I belive. Otherwise there is a huge hole in security.
er-v  2010-05-15 13:26:33
@BradBrening, totally agree with you, that's how it should be done, unfortunately sometimes GUIs are designed by people who know nothing about security and might say that an additional field is not necessary here.
Darin Dimitrov  2010-05-15 13:26:58
@er-v, the thing is to sign the value. Google about HMAC-SHA1 Signatures.
Darin Dimitrov  2010-05-15 13:27:53
Why this has been down-voted? Could you please leave a comment when down-voting? Is there something wrong with my answer?
Darin Dimitrov  2010-05-15 13:58:08
+1  A: 

I agree with Darin that forms authentication will take care of the specific problem mentioned above (changing a password). This answer is for the more general question of making sure that a hidden field's value is not changed.

The best solution to this is to include another hidden field which contains a hash of the first hidden field's value. That way if the 1st hidden field is changed you will know it. The generated HTML looks something like this:

<input id="productId" name="productId" type="hidden" value="1" />
<input id="productId_sha1" name="productId_sha1" type="hidden" value="vMrgoclb/K+6EQ+6FK9K69V2vkQ=" />

This article shows how to do it and includes source code for an extension Html.SecuredHiddenField which will take care of the logic for you.

Keltex  2010-05-15 13:28:15

related questions

Infopath 2007 - Emailed forms not rendering correctly
What can prevent an MS Access 2000 form from closing?
Form library
Trigger update on DataTable bound to DataGridView
What's a clean/simple way to ensure the security of a page?
How to best merge information, at a server, into a "form", a PDF being generated as the final output
In HTML, what should happen to a selected, disabled option element?
What's the state of play with "Visual Inheritance"
ASP.NET MVC Preview 4 - Stop Url.RouteUrl() etc. using existing parameters
HTTP POST question - I'm stuck
InfoPath 2003 and the xs:any type
Retrieving HTTP status code from loaded iframe with Javascript
Data model for a extensible web form
.Net Compact Framework scrollbars - horizontal always show when vertical shows
MVC - where to implement form validation (server-side)?
Offline forms
MVC .Net - The best way to write a form?
Windows Forms Threading and Events - ListBox updates promptly but progressbar experiences huge delay
What is the best way to upload a file via an HTTP POST with a web form?
Delphi MDI Application and the titlebar of the MDI Children
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How Do I Post and then redirect to an external URL from ASP.Net?
Is a "Confirm Email" input good practice when user changes email address?
WinForms ComboBox data binding gotcha
How do I access a remote form in php?