ASP.NET MVC Using IDs in URLs

Question

I know the default routes in MVC include an id param which often maps to the identity of an entity as it's stored in the database. Now, often this is OK, but what about when you don't want someone to be able to manipulate it? Quite frankly, on many business apps this is very common. For example, you don't want someone to change the account number (not the best example, but you get the idea) in the URL for obvious reasons. So, you would need to validate the account number against the logged in user on every request. Obviously, that is not a realistic solution, and in webforms many people would store something like that in session. I am trying to rely on session very little in MVC, but aside from that would I just go old school and use hidden fields?

How do others approach this?

Answer 1

A way this was handled at one place I worked at was to check the referrer in the Request object. If the referrer was blank or not from the current domain, don't show them the page.

Request.UrlReferrer

It actually worked out pretty well.

Answer 2

Actually, for good security you anyway must validate authenticated users rights on every request. Probably you can extend Authorize attribute to better suit your needs. And a hidden field is just a little bit better than url parameter, as they are easily changed by using IE developer tools or Firebug.