tags:

views:

65

answers:

3
+2  Q: 

How NOT to pass a parameter by URL ?

Hello everybody,

First sorry for my bad english, i'm french. I'll try to make me understand :)

I'd like to pass a parameter from view to controller without using the url.

Why? Because the parameter is a userid and I don't want somebody change it manually in the url.

My code in view : 

  <% foreach (var item in ViewData["ClientsList"] as List<SalesCoverseal_V2.Models.Customer>)
           { %>
        <tr>
            <td>
                <%: Html.ActionLink("Editer", "ClientEdit", new { id=item.PersonId }) %>

          <%: Html.ActionLink("Faire une offre", "Index", new { controller
= "Offer", id=item.PersonId }) %>

In controller : 

 public ActionResult Index(string id)
        {
            if (currentLoginUser != null)
            {                
                CurrentCustomer = WebService.GetClientInfos(id);
                SessionManager.CurrentCustomer = CurrentCustomer;

                OfferViewModel viewmodel = new OfferViewModel();

                return View(viewmodel);

            }

My url : http://localhost:50905/Offer/Index/WS00000401

But I don't want this url, I want http://localhost:50905/Offer/

Can you help me? I'm going crazy!

Thank you,

Lore

+3  A: 

If you don't want to pass the id in the url you are going to have to 'post' the request i.e. submit a form.
You could do this by placing the id in a hidden field. You should be aware that this by itself is not tamper proof.
If you want to ensure your user id has not been tampered with then you are going to have to encrypt it before sending it to client and then decrypt it when it is returned in such a way that you can check to see if it has been altered in any way. In addition you can mark your Action method as only accepting Post requests to prevent any one from trying to access it with a Get request.

Andy Rose  2010-10-05 15:56:01
I've thought, but when I use FormMethod.Post, my parameter isn't passed in [HttpPost] in my controller.
Akawan  2010-10-07 08:29:42
When you use FormMethod.Post all your form values are passed within the request in a form collection (instead of the url as querystrings). On the server model binding is then used to map these values to you action parameters.
Andy Rose  2010-10-07 08:56:11
+1  A: 

If that is part if the current user's identity, a cookie of some kind would seem the normal approach, but cookies are trivial to spoof unless you make their content either a cryptographically signed value, or an opaque unpredictable lookup (Guid) to some value. In either case you would also want to make it time-bound to prevent replay.

If you just don't want data on the URL a POST may help, but you can't redirect to a POST.

Marc Gravell  2010-10-05 15:57:10
+1  A: 

Using a POST instead of a GET isn't really going to help fix your problem because anyone can fake a POST nearly just as easily as a GET.

I would suggest you check server side if the user has permission to view the data or not.

What is it exactly that you are trying to do? You could possibly use a HMAC.

HTHs,
Charles

Charlino  2010-10-05 16:53:13

related questions

ASP.NET MVC - MapRoute versus routes.Add (and 404s)
How do I specify a return url for a link to the login form?
$_GET and URL Rewriting for PHP
asp-mvc routing when hosted in IIS on development environment.
Zend Framework Routing: .html extension
Is it possible to run ASP.NET MVC routes in different AppDomains?
Best way for ASP.NET MVC routing for not-so common scenarios?
Pros and cons of using DB id in the URL?
Opinion on example.com/username with Routes
Tutorials For Database-Driven Routing in Zend Framework?
how to browse to a external url from turbogears/cherrypy application?
How can I use the URL to set the current culture in ASP.NET 2.0 Web App?
Rails: Blocking an user using routes.rb
ASP.NET MVC Url Routing
Default action gets 404 for only one page (asp.net mvc)
MVC Routing - Parameter names question.
Default route for all extreme situations
Using Web.SiteMap with Dynamic URLS (URL Routing)
Generate a URL with URL Routing in Webforms
How to keep a website with url routing directory independent
How to ignore route in asp.net forms url routing
ASP.NET Routing with Web Forms
PHP Application URL Routing
ASP.NET MVC: Making routes/URLs IIS6 and IIS7-friendly
ASP.NET URL Rewriting