Securely passing data between pages

Question

I am looking to create a new Web App that will allow the user to first enter the users id then navigate around the site based on that user's id. So, first the user would search for an ID, select that user and have options available based on that ID.

Currently I am using the Query string to store the ID, so... /AddProduct/2222. This works fine but I'm not too sure about the security aspects. I've thought about sessions and cookies but I don't think they are suitable for this scenario. Or do I encrypt the ID for the query string?

Does anyone have any thoughts?

Thanks

Edit

I forgot to mention, the users will be authenticated and have specific permissions on each page on the site. The data is also stored in a database. So, the site will be querying and editing/adding to current data.

Answer 1

So basically here you seem to be afraid that some user might modify an item belonging to another user. Alright, this sentence tells us already that you have users and items in your application and that there are some roles associated to those items. And you have a mechanism to identify those users. So you are probably using some sort of authentication such as the built-in FormsAuthentication for example. So now the question becomes: how to ensure that the currently authenticated user is not modifying the product that belongs to another user.

OK, so you have items that belong to users. I suppose that this information is stored somewhere on the server, presumably a database or something. One approach I would recommend you is to write a custom authorization attribute which would check if the requested resource id actually belongs to the currently authenticated user.

For example:

public class MyAuthorizeAttribute : AuthorizeAttribute
{
    protected override bool AuthorizeCore(HttpContextBase httpContext)
    {
        var isAuthorized = base.AuthorizeCore(httpContext);
        if (!isAuthorized)
        {
            // The user is not authenticated or authorized => no need to continue further
            return false;
        }

        // At this stage we know that the user is authorized => we can fetch
        // the username
        string username = httpContext.User.Identity.Name;

        // Now let's fetch the id of the resource he is trying to manipulate from the request
        string id = httpContext.Request["id"];

        // All that's left is to verify if the current user is the owner 
        // of the account
        return IsOwnerOfItem(username, id);
    }

    private bool IsOwnerOfItem(string username, string id)
    {
        // TODO: query the backend to perform the necessary verifications
        // about whether the user has permissions to work with the resource
        // pointed by the id parameter

        throw new NotImplementedException();
    }
}

and now all that's left is to decorate your AddProduct controller action with this custom attribute:

[MyAuthorize]
public ActionResult AddProduct(int id)
{
     // if we get that far we know that the currently authenticated user
     // is the owner of the resource pointed by the id parameter and we
     // could proceed respectively
     ...
}

With this approach you don't need to be using any sessions or encrypting anything. The encryption is already built into the ASP.NET framework under the form of a Forms Authentication cookie which holds the currently authenticated username in a secure manner. This cookie cannot be manipulated -> the user cannot impersonate as another user. So once you've got the guarantee about who the current user is, all that's left to you is to perform the necessary authorization whether he can access the requested resource.