Page parameters vs Session variables for security

Good day,

Currently my solution uses a Page Parameter for RecordID to determine which record to show on a Details page. I am concerned about users editing the parameter in the URL to view records that they should not have access to.

Should I use Session variables to store the RecordID instead to prevent users from editing the URL? Or is there a way to hide the page parameters to prevent them from being edited?

Hi Liam,

Thank you for your question. Yes, we would recommend using a Session variable for this scenario, keeping in mind that, during the session, the number will stay until changed again.

If the RecordID is really a secret and you still require it to be used as a Page Parameter, a good and widely used option is to use a hashed ID, rather than a sequential number. You could have a table with your hashed nr vs. true number in your database, in which case your user won’t be able to guess another record number.

1 Like