I am writing a project on asp net using a standard (built-in) system of identification, registration, user login. Those. There are standard tables in the database. Specifically, there is an AspNetUsers table in which information about registered users is stored. There is a field ID. There is a users.aspx page where you need to display all registered users (for example, name, phone, mail) and so that the "name", for example, is a link, when clicked, the user.aspx page opens with detailed information about the user (details are drawn from the related table) . The problem is that you need to pass a parameter to the user.aspx page. The parameter is the user Id. It is necessary in order to actually pull out the necessary data from the database. Accordingly, the Id of all users becomes visible to everyone, and on the users.aspx page. there are formed links like

"a href='/user?id=da9d2146-9812-454f-9355-dd908dd77653' > Иванов/a"

and on the user.aspx page in the url.

How to hide user Id ???? Tell me pliz.

There is also, for example, a code that sends to the server the information that the user has come online (signalR) and then also Id slips:

  $.connection.hub.start().done(function () { chat.server.connect('642519d1-e776-40fd-9ccc-fae520a18011'); });

Or the function of sending a message (also signalR), where you need to specify which user and to whom the message was sent:

  chat.server.send_mes_private('642519d1-e776-40fd-9ccc-fae520a18011', 'dbc8016d-e735-4214-85f5-81c490f72017', $('#btn-input').val()));

Accordingly, if you insert other data there, you can send a message not from yourself, but from another user.

The code does not explicitly state the ID, the server inserts it there:

  chat.server.send_mes_private('<% Response.Write(User.Identity.GetUserId());%>', '<% Response.Write(Request.QueryString["id"]); %>', $('#btn-input').val().replace(/\n/g, '<br>')); $('#btn-input').val('');

And in the formed page Id is already visible ... Thank you.

  • You are using a ready-made component, according to the description it’s not quite clear what ... If this component does not support encryption, then ... the variant is probably 2. 1) Look for another chat library. 2) Remember the encrypted user token in the cookie during registration, and when processing the request — either in aspx or asax (in the code that affects your page), check the token for validity, and whether the Request["id"] (if you have it) is appropriate to that which is token. - nick_n_a February
  • Yes, all of you try to send a message on behalf of another user, first. asp stores a bunch of data, including the asp token that the user entered. It is possible that this option2 has already been implemented there having foreseen such a problem, and it will not allow this to be done, despite the idle id. - nick_n_a February
  • I tried - sent ... - Alexander
  • Then protect yourself with a token. To generate a token, I needed encryption because it was rolling, but then the authorization task disappeared and there is no ready example of protection. - nick_n_a February

0