http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspxIn this tip, I demonstrate how you can pass browser cookies and HTTP server variables to controller action methods in the same way as you can pass form and query string parameters. Imagine that you make the following browser request against an ASP.NETenCommunityServer 2007 SP1 (Build: 20510.895)http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#7113973Tue, 09 Jun 2009 02:29:03 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:7113973MVC Controller Action Security Hole « SquaredRootMVC Controller Action Security Hole « SquaredRoot<p>Pingback from &nbsp;MVC Controller Action Security Hole &amp;laquo; &nbsp;SquaredRoot</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=7113973" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6435869Wed, 23 Jul 2008 15:27:15 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6435869VBVB<p>Hi Stephen,</p> <p>I am new to MVC and was wondering when you pass action parameters Is there any way NOT TO DISPLAY them in the url?</p> <p>for eg: <a rel="nofollow" target="_new" href="<a rel="nofollow" target="_new" href="http://localhost/mvcapp/blogs/">http://localhost/mvcapp/blogs/</a>24">localhost/.../24</a></p> <p>can we display this as</p> <p><a rel="nofollow" target="_new" href="http://localhost/mvcapp/blogs/">http://localhost/mvcapp/blogs/</a> </p> <p>or maybe some other way where we do not display the parameter to the user?</p> <p>Thanks</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6435869" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6385454Thu, 10 Jul 2008 20:01:19 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6385454Dylan BeattieDylan Beattie<p>Exactly as tf124 said... how do you combine these techniques with something like Html.BuildUrlFromExpression() or Html.ActionLink&lt;T&gt;() ?</p> <p>These methods won't compile unless you specify their arguments in the method call - so how can you refer to them within pages and still use the automatic parameter population features?</p> <p>Great article, though - thanks!</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6385454" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6383381Thu, 10 Jul 2008 10:48:59 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6383381links for 2008-07-10 « Praveen’s Bloglinks for 2008-07-10 « Praveen’s Blog<p>Pingback from &nbsp;links for 2008-07-10 &amp;laquo; Praveen&amp;#8217;s Blog</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6383381" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6380481Wed, 09 Jul 2008 16:34:52 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6380481tf124tf124<p>So... how could I link to a controller that accepts server variables via an Html.ActionLink. &nbsp;It would get a compile error if you don't specify all the parameters... yet that would be exactly what I want to do... not specify the parameters and have them filled in for me.</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6380481" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6379229Wed, 09 Jul 2008 06:29:24 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6379229HaackedHaacked<p>I wrote a blog post that addresses the fundamental security issue in this case, which is not passing server vars into an action method. <a rel="nofollow" target="_new" href="http://haacked.com/archive/2008/07/08/user-input-in-sheep-clothing.aspx">haacked.com/.../user-input-in-sheep-clothing.aspx</a></p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6379229" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6379226Wed, 09 Jul 2008 06:27:56 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6379226you've been HAACKEDyou've been HAACKED<p>User Input In Sheep</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6379226" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6378485Wed, 09 Jul 2008 02:00:44 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6378485Troy Goode: SquaredRootTroy Goode: SquaredRoot<p>MVC Controller Action Security Hole</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6378485" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6377886Tue, 08 Jul 2008 22:22:19 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6377886Troy GoodeTroy Goode<p>Thanks for the tip Stephen, specifically about passing cookies in.</p> <p>Unfortunately I think Francois is 100% on point regarding the security implications of passing server variables this way. I've examined some potential pitfalls on my blog:</p> <p><a rel="nofollow" target="_new" href="http://www.squaredroot.com/post/2008/07/08/MVC-Routing-Security-Hole.aspx">www.squaredroot.com/.../MVC-Routing-Security-Hole.aspx</a></p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6377886" width="1" height="1">http://weblogs.asp.net/stephenwalther/archive/2008/07/08/asp-net-mvc-tip-15-pass-browser-cookies-and-server-variables-as-action-parameters.aspx#6377854Tue, 08 Jul 2008 22:14:56 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:6377854Troy Goode: SquaredRootTroy Goode: SquaredRoot<p>MVC Routing Security Hole</p> <img src="http://weblogs.asp.net/aggbug.aspx?PostID=6377854" width="1" height="1">