Protect Tampering Of Query String

Question

0.00/5 (No votes)

See more:

Hi All,

We have an asp.net web application and we are use the javascript function window.open
to pass data between pages like, window.open("Students.aspx?ID=123456");
and in the Students.aspx page we get the value by Request.QueryString["ID"].

but we face a problem, the end user can change the ID in the url and can see students info for other student like change ID=123456 to ID=132540 and see the student data.

Please let me know how we can protect this.
also notice that we can't rewrite the application change to use different way for the passing data

Thank you very much

Posted 3-Jan-16 20:44pm

Zeyad Jalil

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Suvendu Shekhar Giri · Answer 1 · 2016-01-03T21:14:00

Solution 1

Quote:
Never pass sensitive data using a query string, because the information is visible to users and can easily be modified, thus representing a potential security risk.

--MSDN

You can use public properties to pass the value in a more secure way. The public properies can be accessed in the next page with the help of PreviousPage.
Example:

C#

Label1.Text = PreviousPage.ID;

There are other ways too to do this. Check this detailed article in MSDN
How to: Pass Values Between ASP.NET Web Forms Pages[^]

Incase of any doubts, please let me know :)

Posted 3-Jan-16 21:14pm

Suvendu Shekhar Giri

Comments

Zeyad Jalil 6-Jan-16 7:05am

I try to use the PreviousPage Property but in the destination page the Previous page is null, please let me know why it is null

Suvendu Shekhar Giri 6-Jan-16 7:32am

How are you redirecting to the target page?
Can you share the relevant code?

Zeyad Jalil 6-Jan-16 8:03am

Thank you, I notice that and change the redirect to use server.transfer.
But I want to ask if we use window.open from javascript how to do this, and what is the more secure way.

Thank you very much

Suvendu Shekhar Giri 6-Jan-16 8:10am

It will not work on window.open() as far I know. Better to use Server.Transfer

F-ES Sitecore · Answer 2 · 2016-01-03T23:55:00

You need to implement some kind of authentication so people need to log in to use the system, and then you check that the person logged in has access to the resources they are requesting, so if someone has student ID of 1234 on the querystring, you first check the logged in person has the right to access student 1234's data, either because they *are* that student or because they are an admin.

Things you shouldn't spend time doing | The ASP.NET Forums[^]