This is sort of a generic “Good Idea/Bad Idea question”.
My scenario: I am writing an ASP.NET MVC3 app that is just 1 page (one View/Controller). This view shows a grid of “Cases” and when a user clicks one of these Cases, I use jquery ajax ($.ajax) to swap out the visible portion of the page and load the details of this Case (but never change the page).
Still with me? Thanks!
Now, once this new Case detail view is shown, the user can edit the Case in one of many ways. Change the priority, change the status, etc. I am using jquery’s ajax function for this as well.
My question: How should I store the Case ID? Is it ok to store it in the HTML? Is there a better place to store it?
All of the Cases have a Guid ID, and currently when the Case details are loaded (using ajax) I add a custom attribute to the Case detail view <div> so I know the Case ID. This means that the Case ID is visible to anybody viewing the page source. I thought about using jQuery’s .data() function to store it, which wouldn’t be visible to page source, but would be accessible from Firebug other inspector tools.
What is the best practice for this? I really can’t imagine how my user’s would do anything with the Case ID, but I am trying to be a bit paranoid here.
Thanks in advance for any thoughts! And thanks for reading this novel!
There’s very little you can do about things which the browser gets to see in any fashion, since code and data in the DOM are not protected from the user.
Obviously you don’t want to send anything to a user who is not allowed to see that information – so you don’t want to do any client-side filtering of data that is dependent upon user role.
But as for internal data, you just have to protect your perimeter – methods can’t accept ids which are mismatched (i.e. an account id which is only valid for a different customer being submitted) – but there’s very little you can do about the ids themselves.