0

I have a GET action for creating records. Because the page is somewhat dynamic, I don't use a model to hold the data. I go off to do some OAuth, only to return to the create screen later on. In order to pass the data back, I am redirecting with a query string. I parse the query string in the GET action, and then show the view. The thing is, the query string is showing up in the browser. This displays pseudo-sensitive data.

Since I am only using the query string for transferring data, I am wondering if I can throw the query string away to prevent it from showing up on the browser.

Otherwise, is there a way to go to another action without redirecting? I've found, if I call the "other" action method directly, it tries to find the view of the original action. I can explicitly change the return View(viewModel) line to return View("create", viewModel) but that seems really dirty.

Improve this question

2 Answers 2

Reset to default
2

You should consider changing the action to accept POST requests. At least this will prevent the sensitive information from appearing in the browser. For extra security, your site should be served via SSL.

The other thing you can try is encrypting the sensitive values or the entire query string. The only problem is that this, too, will be preserved in the browser's history unless you require users to log in.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I cannot redirect to POST. When the OAuth process comes back, it always uses GET. There doesn't seem to be a way to redirect via POST. I mean, I could create a web request internally... but this seems way too complicated.
0

It looks like your action method is trying to do too much. Authentication/authorization is a separate concern which should not be part of the action method. It is better to move the authentication work in to an action filter.

Create an class that extends authorization attribute and override its OnAuthorization method to do your authorization work.

This frees your controller action method to accept POST requests.

Improve this answer

4 Comments

OAuth is a web standard for allowing users to grant access to their information to other sites. So, I can grab user's Google Analytics data, or Twitter data or Facebook data. In my case, I am requesting something called a refresh token so I can grab data on the server at any time. The user really isn't authenticating into my system - they're just granting me access to their data.
Is it not a separate concern from the actual controller action? It looks like you need that token before you continue with your action. If Authorization attribute won't suit your needs, you can still implement IActionFilter to perform these actions.
The user is already logged in. They're not trying to get access to my system, I'm trying to get access to their data.
If that is case, why not take the value from oData service, and create a model and then call the named view by passing the data? What is the extra advantage of redirecttoaction here?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.