1

(ASP.NET MVC 4.5) Imagine you have a model for a bank or a company that has IDs that are sensitive information such as an account number or some other personally identifying information. What is the best way, or at the least what are some strategies, to route the edit/display actions without placing this information in the URL.

Obviously this would be bad:

https://goliath-natinal.com/Accounts/Edit/954321

if 954321 is your bank account number.

I imagine one way of doing this would be to add a GUID to each account that acts a a surrogate key. But I'm very curious to know if there are any possibilities for doing something if you cannot change the database at all.

Improve this question
7
  • 1
    Usually you hide behind a ticketing system. Commented Feb 1, 2013 at 18:45
  • stackoverflow.com/questions/323200/… Commented Feb 1, 2013 at 20:04
  • MikeSmithDev, I don't see the relationship at all. Using HTTPS does not hide the URL from anything. The URL is unencrypted in the HTTPS transaction, it must be or there would be no way to establish the session at all. All that answer does is restate the problem in my question. Commented Feb 1, 2013 at 21:42
  • asawyer -What do you mean? Commented Feb 1, 2013 at 21:42
  • I did find this. stackoverflow.com/questions/1282243/… Commented Feb 2, 2013 at 16:03

1 Answer 1

Reset to default
1

Just throwing some ideas out here...

You could encrypt your identifier using Rijndael or some other type of encryption. You could salt and hash it based on other identifying fields related to the account. You could do that on the fly. You'd take a processing hit though.

If you're using a memcache or azure caching you could create a map of accounts to guids and let that just sit in the cache. If allowed, in the DB you could create a separate mapping table that maps the account to a new guid.

Can you give more info on the full restrictions? I.E. Is the table restricted from change, or the whole DB? Could you create a new DB?

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This is just theory. I was working on an MVC project at work for internal customers and I thought, "How would I handle this if the ID referenced by the controller as an action parameter was some sort of PID?"

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.