Currently my solution uses a Page Parameter for RecordID to determine which record to show on a Details page. I am concerned about users editing the parameter in the URL to view records that they should not have access to.
Should I use Session variables to store the RecordID instead to prevent users from editing the URL? Or is there a way to hide the page parameters to prevent them from being edited?
Thank you for your question. Yes, we would recommend using a Session variable for this scenario, keeping in mind that, during the session, the number will stay until changed again.
If the RecordID is really a secret and you still require it to be used as a Page Parameter, a good and widely used option is to use a hashed ID, rather than a sequential number. You could have a table with your hashed nr vs. true number in your database, in which case your user won’t be able to guess another record number.