Click here to Skip to main content
15,346,659 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
Hi All,

We have an asp.net web application and we are use the javascript function window.open
to pass data between pages like, window.open("Students.aspx?ID=123456");
and in the Students.aspx page we get the value by Request.QueryString["ID"].

but we face a problem, the end user can change the ID in the url and can see students info for other student like change ID=123456 to ID=132540 and see the student data.


Please let me know how we can protect this.
also notice that we can't rewrite the application change to use different way for the passing data

Thank you very much
Posted

Quote:
Never pass sensitive data using a query string, because the information is visible to users and can easily be modified, thus representing a potential security risk.
--MSDN

You can use public properties to pass the value in a more secure way. The public properies can be accessed in the next page with the help of PreviousPage.
Example:
C#
Label1.Text = PreviousPage.ID;

There are other ways too to do this. Check this detailed article in MSDN
How to: Pass Values Between ASP.NET Web Forms Pages[^]

Incase of any doubts, please let me know :)
   
Comments
Zeyad Jalil 6-Jan-16 7:05am
   
I try to use the PreviousPage Property but in the destination page the Previous page is null, please let me know why it is null
Suvendu Shekhar Giri 6-Jan-16 7:32am
   
How are you redirecting to the target page?
Can you share the relevant code?
Zeyad Jalil 6-Jan-16 8:03am
   
Thank you, I notice that and change the redirect to use server.transfer.
But I want to ask if we use window.open from javascript how to do this, and what is the more secure way.

Thank you very much
Suvendu Shekhar Giri 6-Jan-16 8:10am
   
It will not work on window.open() as far I know. Better to use Server.Transfer
You need to implement some kind of authentication so people need to log in to use the system, and then you check that the person logged in has access to the resources they are requesting, so if someone has student ID of 1234 on the querystring, you first check the logged in person has the right to access student 1234's data, either because they *are* that student or because they are an admin.

Things you shouldn't spend time doing | The ASP.NET Forums[^]
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900