Parameter Manipulation

Parameter Manipulation

How do you safely pass an Input parameter in outsystems and avoid parameter manipulation?
(usage: passing values between screens).
Hi Robert

If you want to pass a parameter securely, you have two options:
  - pass it on the server side;
  - pass it encrypted on the client side.

To pass it on the server side, you can use session variables. Be careful with the amount of data you put there - if it is too much, you might want to put a key in the session and store the data in a specific entity. This might not work well if you want to pass that parameter from one eSpace to the other, in which case you might have to create a public API to share secure information and pass it between apps.

To pass it on the server side, you might want to use some sort of parameter encryption schema. OutSystems does not offer built-in support, but it should not be hard to build an extension to import a .NET or Java API (possibly some assymetrical key algorithm) and encrypt the value - even if tampered with, there is no semantics in it.

This is what I can come up with. I would also like to remind, as I heard someone say in the past, that using POST instead of GET (i.e. submit links instead of navigate) will simply hide the parameters for basic users, by keeping them out of the URL - for any slightly more advanced users there are tons of tools that allow capturing and tampering with post requests also.

Thanks Acácio

Encryption may be used when necesssary, this particular case, passing the ID values via the session would be sufficient.