MVC Identity

ANB 181 Reputation points

I have a MVC application working with Net Identity.
One of my pages is Profile. It returns my personal information and some settings.
The user needs to be logged in to have access to that.

public ActionResult Profile() {

So once the user is logged in, the url will be like:

However if I know another person's guid, I can have all accesses to their profile/settings information, just changing the url:

Is that right ?
I know that having other people's guid or trying to invent one would be almost impossible but shouldn't I have access to their information JUST if I have logged in with their credentials ?
How can I fix it ?


A set of technologies in the .NET Framework for building web applications and XML web services.
4,023 questions
0 comments No comments
{count} votes

Accepted answer
  1. AgaveJoe 25,761 Reputation points

    Identity caches encrypted user data within an authentication cookie.

    The following is how to get to the user name after a successful authentication.

    var username = User.Identity.Name;  

    Identity has the GetUserId() extension which fetches the user Id.


    Do not add sensitive data like the user Id in the URL. When using an Id route parameter always make sure the current user (User.Identity.Name) can view/edit the data. This is typically a database design.

2 additional answers

Sort by: Most helpful
  1. ANB 181 Reputation points

    If not using user id (guid) in the URL, my other option would be int ID:

    But then would be even easier to people have access to other people information.
    What would be the solution then ?

  2. Bruce ( 52,826 Reputation points

    You should add code that checks that the authenticated user matches the profile requested.