Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: ASP.NET
i want to hide url parameters.
for example /default.aspx?id=23
here i want to hide parameter id so any user cann't change this parameter in url.
or another is if user change id=23 to 27 then same page will be displayed.it means the page for id=23 could not be change for changing id in url. what is solution for this?
Posted 17-Feb-11 6:33am
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

(1)Use a form and POST the information. This might require additional code in source pages, but should not require logic changes in the target pages (merely change Request.QueryString to Request.Form). While POST is not impossible to muck with, it's certainly less appealing than playing with QueryString parameters.
 

(2)Use session variables to carry information from page to page. This is likely a more substantial effort compared to (1), because you will need to take session variable checking into account (e.g. the user might now have a difficult time navigating around using their Back and Forward buttons, if you are constantly checking state). You will also need to deal with the case where session cookies are not enabled (this solution will not work for these people).
 

(3)Use "encoded" or non-sensical information in the QueryString in place of the real data. This will require the effort of creating an encoding and decoding scheme on either end of all page submissions. Sure, users can still experiment and reverse engineer your scheme, however they will be less likely to quickly come up with meaningful changes to the existing QueryString.
 

(4)Use framesets. I really don't recommend this approach, though it is quite common. If you're trying to hide the information as opposed to making it more difficult to modify, users can still right-click the individual frames and click properties, in order to retrieve all of the information passed via QueryString.
 

(5)Use Server.Transfer to move control to a second page, which will still have access to the QueryString parameters passed to the first page (the URL of which was visible only briefly).
 
One problem with moving away from QueryStrings is that they make your site harder to use. If you are relying on any method other than (3), it is impossible for users to bookmark the current page as is... they can only bookmark the page in a way that resembles what would have happened if they had simply typed the URL in (which might not even work, depending on how you've constructed the page). So that's just one thing to keep in mind when deciding how sensitive your information really is, and how far you're willing to go in the balance of usability vs. security.
 

Also check these pages out;
http://www.codeproject.com/aspnet/urlrewriter.asp[^]
http://weblogs.asp.net/scottgu/archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspx[^]
  Permalink  
v3
Comments
Sandeep Mewara at 17-Feb-11 11:55am
   
Good answer! 5++
orc_orc_orc at 17-Feb-11 12:57pm
   
thanks.
SAKryukov at 17-Feb-11 15:49pm
   
I like your set of possibilities, my 5!
 
I suggest this answer to be accepted by OP.
 
I would also like to see some evaluation of each and the warning against hiding of anything in URL made by Henry. That's why I like his Answer the most.
 
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

Hiding any part of a url is highly suspicious. It is the sort of thing that is used in phishing attacks.
 
If you look at the url displayed for your question it does not use an id, it uses a named page. This is a far better way to do it.
  Permalink  
Comments
SAKryukov at 17-Feb-11 15:45pm
   
Henry, this is the best answer so far, my 5.
Suggest it as a final answer to be accepted by OP.
I would also combine it with the recommendation to use POST instead of URL parameter -- simple refer to other Answers.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

0) You could create a GUID string and place your value at a known position in the string.
 
1) I think you can actually hide the query string (not display it in the address bar) - google is your friend.
 
2) google "asp.net single sign-on"
  Permalink  
v2
Comments
Ashishmau at 18-Feb-11 1:54am
   
use urlrewriting for this

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 Sergey Alexandrovich Kryukov 575
1 Kornfeld Eliyahu Peter 409
2 Maciej Los 369
3 DamithSL 196
4 OriginalGriff 188
0 OriginalGriff 6,353
1 DamithSL 4,854
2 Maciej Los 4,466
3 Kornfeld Eliyahu Peter 4,058
4 Sergey Alexandrovich Kryukov 3,897


Advertise | Privacy | Mobile
Web04 | 2.8.141220.1 | Last Updated 17 Feb 2011
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100