locked
Stop Showing Parameters In URL RRS feed

  • Question

  • User1349647816 posted

    I would like to know how to stop showing the parameter in the URL eg "Dashboard?loggedInID=0", this seems like a security flaw somehow so how do I work around this or get MVC to stop showing the parameters in the URL

    Thursday, November 8, 2018 12:13 PM

All replies

  • User753101303 posted

    Hi,

    You can't really (and "post" won't stop a hacker). You could consider encrypting this value (though if you end up with an encrypted value that is always the same for 0 and for all users, it won't do much more than giving a false sense of security).

    IMHO you should rather consider to use what ASP.NET or other libraries are offering out of the box rather than trying to create your own "security" mechanisms.

    This is on a single app or you try to have two apps to work together ? How does it come that Dashboard doesn't itself know if the user is authenticated ?

    Thursday, November 8, 2018 12:39 PM
  • User475983607 posted

    I would like to know how to stop showing the parameter in the URL eg "Dashboard?loggedInID=0", this seems like a security flaw somehow so how do I work around this or get MVC to stop showing the parameters in the URL

    Use a standard authentication API like Identity which stores the user credentials in an encrypted auth cookie.

    https://www.asp.net/mvc/overview/security

    Thursday, November 8, 2018 12:44 PM
  • User1520731567 posted

    Hi ShatterStar,

    According to your requirement,I suggest you could hide Parameters in url by encrypt and decrypt them.

    1.Create a MyExtensions class to generate the link and encrypt the token and add it to the URL:

    public static  class MyExtensions 
        {
            public static MvcHtmlString EncodedActionLink(this HtmlHelper htmlHelper, string linkText, string actionName, string controllerName, object routeValues, object htmlAttributes)
            {
                string queryString = string.Empty;
                string htmlAttributesString = string.Empty;
                if (routeValues != null)
                {
                    RouteValueDictionary d = new RouteValueDictionary(routeValues);
                    for (int i = 0; i < d.Keys.Count; i++)
                    {
                        if (i > 0)
                        {
                            queryString += "?";
                        }
                        queryString += d.Keys.ElementAt(i) + "=" + d.Values.ElementAt(i);
                    }
                }
    
                if (htmlAttributes != null)
                {
                    RouteValueDictionary d = new RouteValueDictionary(htmlAttributes);
                    for (int i = 0; i < d.Keys.Count; i++)
                    {
                        htmlAttributesString += " " + d.Keys.ElementAt(i) + "=" + d.Values.ElementAt(i);
                    }
                }
    
                //What is Entity Framework??
                StringBuilder ancor = new StringBuilder();
                ancor.Append("<a ");
                if (htmlAttributesString != string.Empty)
                {
                    ancor.Append(htmlAttributesString);
                }
                ancor.Append(" href='");
                if (controllerName != string.Empty)
                {
                    ancor.Append("/" + controllerName);
                }
    
                if (actionName != "Index")
                {
                    ancor.Append("/" + actionName);
                }
                if (queryString != string.Empty)
                {
                    ancor.Append("?q=" + Encrypt(queryString));
                }
                ancor.Append("'");
                ancor.Append(">");
                ancor.Append(linkText);
                ancor.Append("");
                return new MvcHtmlString(ancor.ToString());
            }
    
            private static string Encrypt(string plainText)
            {
                string key = "jdsg432387#";
                byte[] EncryptKey = { };
                byte[] IV = { 55, 34, 87, 64, 87, 195, 54, 21 };
                EncryptKey = System.Text.Encoding.UTF8.GetBytes(key.Substring(0, 8));
                DESCryptoServiceProvider des = new DESCryptoServiceProvider();
                byte[] inputByte = Encoding.UTF8.GetBytes(plainText);
                MemoryStream mStream = new MemoryStream();
                CryptoStream cStream = new CryptoStream(mStream, des.CreateEncryptor(EncryptKey, IV), CryptoStreamMode.Write);
                cStream.Write(inputByte, 0, inputByte.Length);
                cStream.FlushFinalBlock();
                return Convert.ToBase64String(mStream.ToArray());
            }
        }

    2. Create an EncryptedActionParameterAttribute custom attribute to decrypt and validate the token, if the token is not valid, redirect to error page:

    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
        public class EncryptedActionParameterAttribute : ActionFilterAttribute
        {
            public override void OnActionExecuting(ActionExecutingContext filterContext)
            {
    
                Dictionary<string, object> decryptedParameters = new Dictionary<string, object>();
                if (HttpContext.Current.Request.QueryString.Get("q") != null)
                {
                    string encryptedQueryString = HttpContext.Current.Request.QueryString.Get("q");
                    string decrptedString = Decrypt(encryptedQueryString.ToString());
                    string[] paramsArrs = decrptedString.Split('?');
    
                    for (int i = 0; i < paramsArrs.Length; i++)
                    {
                        string[] paramArr = paramsArrs[i].Split('=');
                        decryptedParameters.Add(paramArr[0], (paramArr[1]));// pass two string parameters
                    }
                }
                for (int i = 0; i < decryptedParameters.Count; i++)
                {
                    filterContext.ActionParameters[decryptedParameters.Keys.ElementAt(i)] = decryptedParameters.Values.ElementAt(i);
                }
                base.OnActionExecuting(filterContext);
    
            }
    
            private string Decrypt(string encryptedText)
           {
                string key = "jdsg432387#";
                byte[] DecryptKey = { };
                byte[] IV = { 55, 34, 87, 64, 87, 195, 54, 21 };
                byte[] inputByte = new byte[encryptedText.Length];
    
                DecryptKey = System.Text.Encoding.UTF8.GetBytes(key.Substring(0, 8));
                DESCryptoServiceProvider des = new DESCryptoServiceProvider();
                inputByte = Convert.FromBase64String(encryptedText);
                MemoryStream ms = new MemoryStream();
                CryptoStream cs = new CryptoStream(ms, des.CreateDecryptor(DecryptKey, IV), CryptoStreamMode.Write);
                cs.Write(inputByte, 0, inputByte.Length);
                cs.FlushFinalBlock();
                System.Text.Encoding encoding = System.Text.Encoding.UTF8;
                return encoding.GetString(ms.ToArray());
            }

    3. In the view page, you can use it like:

    ...
    @Html.EncodedActionLink("TestEncrypt", "TestEncrypt", "Test2", new { a="hh",b="abc" }, null)@*the original parameter value*@
    ...

    The answer from this link,you could make it as a reference.

    Best Regards.

    Yuki Tao

    Friday, November 9, 2018 8:21 AM