ASP.NET MVC 在 URL 中使用 ID

发布于 2024-09-18 03:41:32 字数 276 浏览 7 评论 0原文

我知道 MVC 中的默认路由包含一个 id 参数,该参数通常映射到存储在数据库中的实体的标识。现在,通常这是可以的,但是当您不希望有人能够操纵它时怎么办?坦率地说,在许多商业应用程序中,这种情况很常见。例如,出于显而易见的原因,您不希望某人更改 URL 中的帐号(不是最好的示例,但您明白了)。因此,您需要在每次请求时针对登录用户验证帐号。显然,这不是一个现实的解决方案,并且在网络表单中,许多人会在会话中存储类似的内容。我试图在 MVC 中很少依赖会话,但除此之外我会继续老派并使用隐藏字段吗?

其他人如何处理这个问题?

I know the default routes in MVC include an id param which often maps to the identity of an entity as it's stored in the database. Now, often this is OK, but what about when you don't want someone to be able to manipulate it? Quite frankly, on many business apps this is very common. For example, you don't want someone to change the account number (not the best example, but you get the idea) in the URL for obvious reasons. So, you would need to validate the account number against the logged in user on every request. Obviously, that is not a realistic solution, and in webforms many people would store something like that in session. I am trying to rely on session very little in MVC, but aside from that would I just go old school and use hidden fields?

How do others approach this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

千紇 2024-09-25 03:41:32

实际上,为了获得良好的安全性,您无论如何都必须对每个请求验证经过身份验证的用户权限。也许您可以扩展 Authorize 属性以更好地满足您的需求。
隐藏字段比 url 参数好一点,因为它们可以通过使用 IE 开发工具或 Firebug 轻松更改。

Actually, for good security you anyway must validate authenticated users rights on every request. Probably you can extend Authorize attribute to better suit your needs.
And a hidden field is just a little bit better than url parameter, as they are easily changed by using IE developer tools or Firebug.

青芜 2024-09-25 03:41:32

我工作过的一个地方处理此问题的一种方法是检查 Request 对象中的引荐来源网址。如果引荐来源网址为空或不是来自当前域,则不要向他们显示该页面。

Request.UrlReferrer

实际上效果很好。

A way this was handled at one place I worked at was to check the referrer in the Request object. If the referrer was blank or not from the current domain, don't show them the page.

Request.UrlReferrer

It actually worked out pretty well.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文