security issue:how to prevent unexpected access from directly assigning parameter

Hi,

with scaffolding functionality, I can easily create list-detail screen, but I am worry if such kinds of screens are secure.
 For example, I can establish an employee payment screen with the following  data entity by double drag-dropping payment entity on main flow page. I found I can access other data item by directly assigning the parameter on URL(i.e. by modiying the number "1" marked by red circle on above detail page,I can access all data in the payment table). I do not think these screen are secure even in in-house application.
I also found similar parameter usages are available while making popup page.
How to solve such kind of secure concerning?


Best regards,







Hi, 

First thing, anything 'client side' relate is not secure. Ever. So, even if you use a Submit to a page, that does not have the parameters visible at the URL (but doea not work for Popups), the user can mess with the request header, etc. 

Sonthe only way to guarantee security is to check, server side (preoaration), if the user can work with the information he asked. This way if he mess with parameters, you can validate if the values sent can be worked bybthe user. If not, redirect him tonthe Invalid permissions page, for example. 

Cheers 

P. S. For some types of information you can use session variables for example, as they can exist only server side, but if the info is coming from the oage, this is not possible either. 

Cheers 

Eduardo Jauch wrote:

Sonthe only way to guarantee security is to check, server side (preoaration), if the user can work with the information he asked. This way if he mess with parameters, you can validate if the values sent can be worked bybthe user. If not, redirect him tonthe Invalid permissions page, for example. 

Dear Eduardo,

Thanks for your advices.

We just did the above check, if the user can work with the data he asked, in conventional development. But   such kind of check is usually complicated.

I guessed there must be better way to solve the problem because the pages with such explicit parameter are established by standard scaffolding method.

Cheers


Hi, 

Scaffolding is something overused. You can create a grouo of screen templates to replace the screens created with scaffolding that creates automatically the kind of security mechanisms you need, and use it+replace data instead of scaffolding. It's not perfect, but will reduce most of the work you need to do. 

I don't know any other way of solving this easily, wothout some work... 

Cheers