MVC Identity

Question

I have a MVC application working with Net Identity.
One of my pages is Profile. It returns my personal information and some settings.
The user needs to be logged in to have access to that.

[Authorize]
public ActionResult Profile() {
...
}

So once the user is logged in, the url will be like:
https://mywebsite.com/profile?id=5451836c-f290-41e2-b4f0-db2337b5e946

However if I know another person's guid, I can have all accesses to their profile/settings information, just changing the url:
https://mywebsite.com/profile?id=here-goes-a-different-guid2
https://mywebsite.com/profile?id=here-goes-a-different-guid3
https://mywebsite.com/profile?id=here-goes-a-different-guid4

Is that right ?
I know that having other people's guid or trying to invent one would be almost impossible but shouldn't I have access to their information JUST if I have logged in with their credentials ?
How can I fix it ?

Thx

Answer 1

Identity caches encrypted user data within an authentication cookie.

The following is how to get to the user name after a successful authentication.

var username = User.Identity.Name;  

Identity has the GetUserId() extension which fetches the user Id.

User.Identity.GetUserId()  

Do not add sensitive data like the user Id in the URL. When using an Id route parameter always make sure the current user (User.Identity.Name) can view/edit the data. This is typically a database design.

Answer 2

If not using user id (guid) in the URL, my other option would be int ID:
https://mywebsite.com/profile?id=1
https://mywebsite.com/profile?id=2
https://mywebsite.com/profile?id=3

But then would be even easier to people have access to other people information.
What would be the solution then ?

Answer 3

You should add code that checks that the authenticated user matches the profile requested.