Security with QueryString values in Asp.net MVC

Question

How do you properly ensure that a user isnt tampering with querystring values or action url values? For example, you might have a Delete Comment action on your CommentContro

Answer 1

You don't.

It is a cardinal rule of programming, especially in this day and age, that you never trust any input which comes from the user, the browser, the client, etc.

It is also a cardinal rule of programming that you should probably not try to implement encryption and security yourself, unless you really know what you are doing. And even if you do know what you are doing, you will only remain one step ahead of the tard-crackers. The smart ones are still going to laugh at you.

Do the extra query to ensure the logged-in user has the right set of permissions. That will make everyone's lives just that much simpler.