MVC Identity

ANB 181 Reputation points
2021-12-03T20:16:27.99+00:00

I have a MVC application working with Net Identity.
One of my pages is Profile. It returns my personal information and some settings.
The user needs to be logged in to have access to that.

[Authorize]
public ActionResult Profile() {
...
}

So once the user is logged in, the url will be like:
https://mywebsite.com/profile?id=5451836c-f290-41e2-b4f0-db2337b5e946

However if I know another person's guid, I can have all accesses to their profile/settings information, just changing the url:
https://mywebsite.com/profile?id=here-goes-a-different-guid2
https://mywebsite.com/profile?id=here-goes-a-different-guid3
https://mywebsite.com/profile?id=here-goes-a-different-guid4

Is that right ?
I know that having other people's guid or trying to invent one would be almost impossible but shouldn't I have access to their information JUST if I have logged in with their credentials ?
How can I fix it ?

Thx

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,023 questions
0 comments No comments
{count} votes

Accepted answer
  1. AgaveJoe 25,761 Reputation points
    2021-12-03T21:59:45.183+00:00

    Identity caches encrypted user data within an authentication cookie.

    The following is how to get to the user name after a successful authentication.

    var username = User.Identity.Name;  
    

    Identity has the GetUserId() extension which fetches the user Id.

    User.Identity.GetUserId()  
    

    Do not add sensitive data like the user Id in the URL. When using an Id route parameter always make sure the current user (User.Identity.Name) can view/edit the data. This is typically a database design.


2 additional answers

Sort by: Most helpful
  1. ANB 181 Reputation points
    2021-12-03T23:44:17.203+00:00

    If not using user id (guid) in the URL, my other option would be int ID:
    https://mywebsite.com/profile?id=1
    https://mywebsite.com/profile?id=2
    https://mywebsite.com/profile?id=3

    But then would be even easier to people have access to other people information.
    What would be the solution then ?


  2. Bruce (SqlWork.com) 52,826 Reputation points
    2021-12-04T17:41:39.223+00:00

    You should add code that checks that the authenticated user matches the profile requested.