What is the best practices when it comes to securing a MVC controller? My site is a multi-tenant solution where all customers would log in and use the same site. Although they would be logged in, how do I prevent them from not tampering with anyone else data?
I’m of course preventing this in the UI, but I currently don’t have any logic preventing the users from using Fiddler and manipulating the requests "by hand". I get that I need to store the users data in some sort of context (eg cookie or session) and the
evaluate the page request in my controller. But what is the best approach?
Use Asp.net Identity for authentication and authorization. It is secured and is designed with best practices. you can easily implement dependency injection with Microsoft unity resolver. If needed you can enable 2 factor authentication, Social login, profile
A complete sample you can install to study what Asp.Net Identity provides:
Create an empty asp.net application and install Identity sample nuget package.
Install-Package Microsoft.AspNet.Identity.Samples -Pre
Enjoy Security with ease.