Preventing Url manipulation attacks with MVC?

Question

Any good strategies, code snippets etc for preventing URL manipulation?

For example I have this url, http://localhost/profile/edit/5 the id could easily be

Answer 1

You shouldn't make your URLs "manipulation-proof" to protect underlying functionality. Besides: most websites make URLs more readable like http://stackoverflow.com/questions/741653/preventing-url-manipulation-attacks-with-mvc for instance - obfuscation would be a step backwards.

Rather check for permissions within your Controllers and raise an exception if the user is not allowed to edit profile 6. If you don't want to have the "checks" everywhere, maybe you could put them into an ActionFilter, or create some helper method like CurrentUser.FindProfileToEditById(profileId) (which throws an exception if the action is not allowed) instead of Profile.FindById(id).

If you want a generic service where you do not have a "current user", you might go with the GUID (so does Doodle for instance) - however this will always be a security threat in various ways (Facebook had this issue with their photo-albums).