What are you really trying to accomplish here? Why is it bad if your users know the IDs of your model objects?
-- James
What I am trying to achieve is so that malicious users do not call controller actions in a loop with all the IDs, thereby killing the server.
-Vinod
Vinod Krishnan wrote:
What I am trying to achieve is so that malicious users do not call controller actions in a loop with all the IDs, thereby killing the server.
-Vinod
> > > > > Is there any easy way to encrypt the URL params that is seen in the URL. > > I dont feel comfortable exposing the id of the models to the external > > user. > > What are you really trying to accomplish here? Why is it bad if your > users know the IDs of your model objects? > > -- James > > > >
And what would happen if they just repeatedly threw randomly generated parameters at it?
_Kevin
In that case, try and solve the problem you actually have, rather than find ways to hide it. There are plenty of ways you can prevent malicious users breaking an application. 1. Log the originating IP of requests and deny access after a certain number of requests. 2. Create a token which is hashed and must be included in requests, expire these after a certain amount of time. 3. Use a captcha form or similar principle to prevent automated requests.
Such techniques are much more efficient since they provide security at the point of the problem. As others have pointed out malicious users can always find a way around obfuscation and you'll find yourself continually fighting fires with your code.
Ross