View Single Post
  #2 (permalink)  
Old August 17th, 2009, 05:09 PM
Imar's Avatar
Imar Imar is offline
Wrox Author
Points: 72,073, Level: 100
Points: 72,073, Level: 100 Points: 72,073, Level: 100 Points: 72,073, Level: 100
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,089
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

Hi there,

What you are referring to is called "security by obscurity" which is a bad thing. E.g. you think your application is safer because data is harder to guess. However, it's still open and guessable, and thus insecure.

Is it an option to check on the destination page whether the user has the correct permissions? E.g.:
Quote:
contentId = Request.QueryString("Id")
If CheckUser(contentId) = False Then
Response.Redirect("NoRights.asp")
End If

' Get the item from the database.
Your CheckUser method could then check whether the user is allowed to view the item or not. How you check that depends on your application.

BTW: I think the long IDs you are referring to are not obscured simple IDs, but true, long IDs. Windows, for instance, has the notion of a GUID - a Globally Unique Identifier which is typically a long string (36 characters if I am not mistaken). It's not obscured, it's just very unique and thus very long ;-)

Hope this helps,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
Reply With Quote