I've got a html.password helper control on an edit profile type screen. Is there a way to set the value of this when the page first loads so that if the user doesn't want to change their password, the existing one gets passed back to the controller.
Thanks
Nick
Html.Password helper does not use ViewData automatically (see ASP.NET MVC source, InputExtensions.cs file, line 78, line 184). You need something like this:
<%= Html.Password("password", ViewData["password"]) %>
UPDATED:
Tested in Opera 10b, Firefox 3.5, Internet Explorer 8
I know this isn't a direct answer to your question, but coming at this from the user's point of view, would the user want their password being transmitted like this. I know I would not want any of my passwords transmitted anywhere unless it was absolutely necessary.
Most sites that I've seen only require a new password in the profile screen if it needs to be changed. If it is to remain the same and not updated the blank password fields are an indication of that. It also means that you can store the passwords in a more secure way (e.g. a one way salted hash) that does not permit password retrieval in any way (which if they could be retrieved would be a potential security risk in itself)
Related
To generalize this question I asked this morning, and please accept my apologies if this has been asked before and I simply don't know what to search for, but I'm curious how Rails handles the following situation:
Using Devise, I log in a user, with an ID of 2.
I click on a link that has been created to "edit my profile" (which simply would go to the /users/2/edit page).
Using Firebug (or something similar), I modify the form and change the action from action='/users/2' to action='/users/5'.
I change an element on the form, and click submit.
At this point, Rails appears to allow the submission and update user with ID 5 with my changes.
I'm guessing I'm not the first one to ask this question. It seems to me like Rails should handle this "out of the box", but I could be wrong. Does Rails handle this natively and I'm just missing something? Has this been asked before on SO or somewhere else that I'm missing?
A few things:
Don't create a route that accepts a DB id. Instead, make it something like /my_profile.
If an id is passed in the params, ignore it entirely in the controller. Instead lookup the current_user that is logged in and show them their own profile regardless of what profile/user id is passed in.
Finally, and possibly most important, use authorization (what a user is allowed to do) in order to disallow one user from editing another user's profile. Not to be confused with authentication (user logins/logouts).
With this approach it won't matter if the DOM is changed, because the server should never implicitly trust what is passed to it, which is the problem you're facing now. Any web/app server must always confirm that the parameters being passed to it are actually valid in the context of what the current user is allowed to do.
This idea that the server should never trust what's passed to it is a critical idea to apply to every single action in your app, without exception.
Guys i'have a question.
I'm currently buiding a wizard that has 5 step's until being completed.
The user starts by the first step where he generates the entry id.
From there on i start passing the id over the url like this:
host.com/{controller}/{view}/{id}
This is how my url looks like after the step1,
------- currently at view step2 passing the id=120
host.com/{controller}/step2/120
This isn't safe because as you know, anyone can change the id and affect other users's entries. Ofc, it can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.
Now, my question is... is there a better way to do this?
Any tips for future work?
Is what i'm doing enougth?
(begginer doubt praying for a expert awnser)
Cheers
...It can be quickly solved by reading if the authenticated user is proprietary of the entry that he must be trying to access in each view.
Yes, that's true. You should start there.
Here are some other things that you could do:
You could make your entry ids Guids instead, so that a would-be hacker would never try to guess an entry id.
Because using GET for sensitive data is a bad idea, you could, as endyourif suggests, pass the entry ids with hidden fields instead.
If you are truly concerned about the user altering the ID in the URL, then you must spend the additional time adding an "isOwnedBy" like functionality.
As an additional security measure, you could pass it via a hidden variable in the form so it is at least not as easy to change as well.
Edit: I like #LeffeBrune's suggestion of encrypting the idea as well. However, I still suggest that the validation is performed on the function to ensure the user owns the object. It's just good practice.
We have been using asp.net mvc for development. Sometimes, we need to put some hidden fields on form that are shoved in the model by modelbinder (as expected). Nowadays, users can easily temper the form using firebug or other utilities. The purpose of hidden field is mostly to provide some information back to server on as is basis and they are not meant to be changed.
For example in my edit employee form I can put EmployeeID in hidden field but if user changes the employeeID in hidden field, wrong employee will be updated in the database. in this scenario how can we keep the integrity of hidden fields.
You need to enforce security to ensure that the person doing the modification has permission to do so. I'd also put the id in the URL typically rather than a hidden field, relying on the security to ensure that people don't modify things that they shouldn't be able to. If they do have permission to modify the item when changing the id manually, it shouldn't be a problem. The important thing is to make sure that a person can't change the id manually and get access to something they shouldn't. Enforcing server side permissions solves this problem. You can easily do this using Roles in conjunction with the AuthorizeAttribute.
if user changes the employeeID in
hidden field, wrong employee will be
updated in the database
This is a major security hole in your website. In everything you do with web development, no matter how clever someone's code might be or how much you think you'll be ok as long as users don't do something, remember one golden rule: Never implicitly trust data received from the client.
In order to modify anything in your website, the user must be logged in. (Right?) So in any attempt a user makes to post a form to the website (especially one which can modify data), double-check that the user submitting the form has permission perform the action being requested on the data being specified.
Ideally, every action which isn't completely public and unsecured should have a server-side permissions check. Never, ever trust what the client sends you.
One potential alternative would be to store that static, single-use information in TempData on the server and not pass it to the client where it could be tampered with. Keep in mind that by default TempData uses Session and has limitations of its own - but it could be an option.
helping my friend with his old ASP site and ran into an issue so I wanted to throw this out to see if i can get some help.
The site basically needs to POST data to another page which it's doing fine. The problem is that it's needs to POST the username/password to the receiving page and the site is currently holding that in hidden fields which is obviously no good since you can see it in the source code.
How can you pull the data in on the ASP page without having it hidden in an input field? I know it can get stored as a variable but then I can't POST it and if I put that variable in an input value field it shows up in the source.
Any help would be appreciated.
Thanks!
it needs to POST the username/password to the receiving page
No it doesn't. :)
If the two pages are part of the same site, use the Session object.
If the two pages are on different sites, things are trickier, but the idea is similar. I'm guessing this isn't the case for you, but if it is, look at OAuth. (For example, when you log in here, you use authentication from another site, but stackoverflow never sees your password for that site. Same idea.)
Create a database table that looks like
uniqueidentifier SessionId
varchar Username
varchar Password
Store the SessionId in the cookie with Response.Cookies.
Get the SessionId from the cookie in JavaScript, and send an ajax request to a page that gets the username and password from the database using the SessionId and outputs the values in JSON. Attach the values with javascript to a hidden field. You will still appear to be getting a value from the hidden field on the page that receives the form post, but if a user views the page source it would just say something like <input type="hidden" id="username" name="username" value="DefaultUserNameValue" />. The value will be assigned dynamically using javascript, which is not visible to the User.
What is the following portion of a Gmail URL for?
https://mail.google.com/mail/?**zx**=1efobg68r40co&**shva**=1#inbox
If you change it, nothing happens!!
I know Gmail is not an Open-Source program so we can't trace the code. But every website try to make the URL shorter so they ideally shouldn't add redundant data to the URL. At the same time they don't make any difference nor error if they change.
Edit: I know it's a parameter for a scripting language since I'm a PHP developer but as a developer I don't EVER add a useless parameter and I think it's obvious/primitive sense!
The acronym stands for "Should have valid authentication" as noted here:
http://googlesystem.blogspot.com/2010/07/gmails-shva-parameter.html
As others have noted, 1 is the default value.
If I'm remembering correctly, back when they were working on the current version of the interface, you could preview it by setting shva=2 instead of the default. That version is now the default and you can't get the old version, so shva does nothing now.
It may be used again in the future, who knows?
But every website try to make the URL shorter so they ideally shouldn't add redundant data to the URL...
This is self-evidently not true. Look at StackOverflow URLs for a perfect example. This post:
http://stackoverflow.com/questions/1692968/shva-in-gmails-url-what-is-this
could just as easily be (it works):
http://stackoverflow.com/questions/1692968
I don't think anyone worries these days about the extra couple bytes of data involved with an extra query string parameter.
Some of them saying it is" should have valid Authentication". We shall consider it OK.
But the real expansion of shva is "security host verification and authentication".
It always comes when you open Gmail.
We won't know what it 'exactly' means unless someone inside Google answers your question. But my guess would be that it has to do with security and encryption. Nothing happens when you change it because it is part of the cookie as well. So when you change it they must also compare it with what is set in the cookie.
"shva" is an acronym for "should have valid authentication". Apparently, the parameter is only included after a successful authentication.
The 1 is the default value applied to the parameter check. It's also a shorthand way for programmers to say true, like when you have successfully logged in.
The other part, #inbox, tells Gmail to load up your inbox as the first screen. You can change that to one of the other folders (or even labels you've created) to load them up.
E.g., https://mail.google.com/mail/?shva=1#sent will show your Sent folder items.
https://mail.google.com/mail/?shva=1#label/narwhals will load up your "narwhals" label.
Gmail, like many web services, serves a standard interface that will change to show only your information and data when you've logged in.
The particulars are referenced on their end through the use of an ID from the cookies or sessions generated after the login screen.