Skip to main content

How to write secure mvc application using encrypting URL

There are lots ways available to write the secure Mvc application. In my experience I came across lots of secure application in public facing. I want to tell about some of the mechanism I followed.
1- encrypting the URL Parameters and preserving id's encrypted on the client side
1- I always make sure if I pass Id or any sensitive data into the view always make sure it's encrypted. By doing so make sure if we forced to use HTML.hidden or HTML.hidden for have the encrypted values, in action link if I pass any parameters from the client side (eg:- edit or create or navigating between different actions we can make sure that all the values are encrypted)
During the design of the actions results if it's http get I usually encrypt the sensitive data
[httpget]
Public actionresult display()
{
TestModel testModel=new TestModel();
testModel.id= encrypt(id);
Return View(testModel);
}
[httppost]
Public ActionResult Display(string id)
{
Guid d_id= new Guid(decrypt(id));
// do operation with id
// edit, view, create
String e_id=encrypt(d_id);
Return RedirectToAction{"edit", e_id);
}
By following above encryption mechanism In view if you use the following code
<%:html.hiddenfor(model=>model.id);%>
Or  <%:html.hidden("id", Model.id);%>
Also we can make sure that the id won't be visible to the public.
Thanks
Adarsh

Comments

Popular posts from this blog

Single page application (SPA) using ext.js

what is spa? Single page application are applications that fit in one page with rich and fluid user experiences like a desktop based applications. Why is SPA? All web based elements (html, CSS,javascript) are downloaded from the server on single page load and avoid the continuous page post back. i can explain what this mean. Suppose your web application is made of certain flow and it consists of 5 different pages. Each page need to get data from the user and save before moving to the next page. So when we navigate from one page to other it need to make a round trip to server to store the data in one page and get the data for the next page to display. but in spa we can avoid the continuous post backs. The whole page will not post back any time other than the first load. But it communicate to the server dynamically behind the scene and can achieve the same functionality. Spa using ext.js designing a SPA using ext.js is a challenging task if you are unaware about the ext.js

Sql Server Internals - Named Pipes

Named pipes enables clients applications to request a reliable and two way connection between the client application and Sql Server, across a network. A named pipe has a name which follows the UNC naming convention : \\Server\pipe\name The default names pipe for SQL server is :                 \\Server\pipe\sql\query A named instance would have a named pipe of                \\server\pipe\MSSQL$instancename\sql\query Early versions of SQL Server only provided Named Pipes. Named Pipes also allows for impersonation of a clients credentials. The feature is used by SQL server when using Linked Servers. The clients logon credentials are passed across to the Linked Server for authentication. Named Pipes can operate over TCP/IP, NETBEUI or IPX as it indirectly relies on the Common Internet Files Sytems