Forms Authentication - Make an GET request secure

Question

I'm new to Forms Authentication and am having difficulty with this problem:

I have a route set up like so:

routes.MapRoute(
       "Account", // Route name
       "Account", // URL with parameters
       new { controller = "Account", action = "MyAccount", username = UrlParameter.Optional } // Parameter defaults
);

MyAccount action:

[Authorize]
public ActionResult MyAccount(MyAccountModel model, string username)
{
    // Do stuff with username and model
}

I noticed a security flaw in that the user could go:

../Account/MyAccount?username=test

And specify any username to receive info on that user. Is there anyway I can make this secure? I need to pass that username to this method to get stuff from my custom membership provider

John H John H · Accepted Answer · 2012-02-14T15:34:56

It sounds like what you want to do is test whether the username is equal to that of the currently authenticated user. Something like this:

[Authorize] 
public ActionResult MyAccount(MyAccountModel model, string username) 
{ 
    if (User.Identity.Name == username)
    {
        // Display account information
    }
}

Forms Authentication - Make an GET request secure

1 Answers