Is it a bad idea to put sensitive information (user ID's, connection strings, things I might not want visible to other user's) in the ViewBag? Can an external user get to that info in any way?
My thought is no, they can not get to it (I have tried, not that I am in LulzSec) but I was curious on other people's thoughts.
Thanks in Advance!
ViewBag is session based and it only the CURRENT request based and as such has the same constraints as the session with the added benefit that it is deleted at the end of that request, so no - this is not accessible. Even if someone could steal your session id and hijack the session, viewdata would be gone.
TempData is another story and session hijacking would allow a user to hijack another session - hence tempdata but a user still wouldnt be able to see that by default unless you have this information emitted into trace info. So basically if I could steal your session, whatever code you have on the next request would be executing for me, and not for the user its 'waiting' for on the next request. But - they still can't enumerate it and access it themselves.
Since the ViewBag is only used for server side processing, adding dynamic functionality to mimic a more Ruby- or Python-esque approach, I don't think you need to worry more about security than with everything else being stored and used on your server.
Related
Let's say a user is banned in a website, but his session is still active. What's the best way of preventing him from performing an action that a banned user is not allowed to do?
The two plausible solutions I came up with are
making an additional checking previous to every "major" action,
like making a post in the forum, sending a private message, etc. to make sure
he is not banned (checking with the database)
destroying his session
Now, the latter solution could be done by setting an expiration for the cookie, but this would be bothersome for the rest of the users as they would have to log in again.
Other option would be setting a timeout in the session in which the scripts checks if he's banned with the database and then destroying his session if he is, but this seems like a bit too much.
What's the best way to deal with this?
If I understand what you mean by setting an expiration for the setting cookie, I would recommend against it. You want the control to be on the server side - don't trust your clients; they can easily prevent a cookie on their side from being destroyed.
Hopefully, whatever framework you're using has a way to delete the server-side data associated with a user's session, instead, invalidating the client's session id.
If your application is object oriented, you could do a check in your constructor, if the user is banned, and if he is, unset his session/call the log out function.
We are using Asp.net Session in our application for state management. By default, In-proc mode is being used. But now, we have to look for an alternative as we have been asked to remove Session from our application by our client due to performance issue.
One of the way is to keep everything at Client side say in hidden field on Postback. It's not a good approach for sure.
Is there any other way of doing it? Im sure there would be an alternative.
PS: Please don't suggest Querystring.
Thanks,
Sumit
Something close to that is HttpContext.Current.Items but has a shorter life span
Items collections of HttpContext is and IDictionary key-value
collections and that are shared across a single HTTPRequest. Yes,
HttpContext.Current.Items valid for a single HTTPRequest. Once
after processing, server information is sent back to the browser,
the variables that were set in the Items[] collection will lost. Where
as for Session Variable, information valid for multiple request as
this is user specific. The session variable only expires either on
Session Time Out or explicitly clear the values.
More from these articles
When we can use HttpContext.Current.Items to stores data in ASP.NET
Here's the issue at hand: I have developed an ASP.NET MVC3 application using Razor. I have also implemented a custom membership provider and overridden the ValidateUser() method. Within, I query my db and get a lot of user information in addition to the password auth.
At the moment, I am pushing this information, i.e. companyId, to static properties of a class. This works and I can display/use this information throughout my app. The problem arises when a user closes their browser tab. Upon re-opening the app, the user is authenticated via a cookie, so they don't need to re-login; however, those static variables are blown away.
So guys and girls, how would/do you conquer this issue? Should I append the extra info to the session cookie? Or perhaps a better solution?
Use the ProfileProvider in ASP.NET.
For application level variables, they are going to be subject to application pool recycles and similar "simulated" restarts related to users starting all over. These variables should be completely independent of user usage and should be able to be recreated easily. If you have variables that are user dependent or that can't be restored easily without some sort of outside intervention then you will definitely need a different method of storage.
If the data is user specific, storing it in the session cookie is probably the best idea. If the data is user-related but branches multiple users it should be stored in a database or a flat file somewhere. If the data has nothing to do with users specifically then it should just be in a database or configuration file.
My web application requires a user to be logged in to view any webpage on it.
When a user logs in I store, in sessions, their username and password for retrieval later on. This all works fine but, if I rerun my project it seems to skip past authentication and go straight to the controller for that action.
What I presume is happening is that FormsAuthentication.SetAuthCookie(userName, createPersistentCookie); is remembering that the user is logged in but my sessions aren't updated.
How can I trap this scenario and update my sessions accordingly?
There are many ways of going about it.
First, you can choose, not to persist the cookie. But this will still cause the exception if the session has not expired and you recompile your project. Recompiling the project destroys the session state.
Though putting the password in session state is not the preferred way of going about it, I am sure you would have a valid reason of doing it that way.
However, if you want to do it that way, you can override the Application_AuthenticateRequest event in Global.asax. This event fires every time a request comes in and you can check if the request is authenticated (using HttpContext.Current.User.Identity.IsAuthenticated) and repopulate the session state.
By the way, can you elaborate why you need to store the user password in session state?
If I am correctly understood the issue,you can have base action class so and move the authentication mechanism there.So for every request this base will be invoked so you can make sure that the authentication mechanism is not skipped.
I'm trying to figure out exactly when the event Profile_MigrateAnonymous fires.
My best guess from just tracing through my code is that it fires when it detects BOTH an anonymous membership cookie AND an authenticated membership cookie. Can anyone confirm this? I'm looking for real in depth answer here. Not just it gets called 'when a user logs in'.
Now - why do I care?
I was trying to keep the anonymous profile hanging around after a user had authenticated so that once they log out I'd still be able to tell who they were, and certain settings that may have been set.
The problem I'm seeing is that Profile_MigrateAnonymous is getting fired on EVERY request. Not just when a user has logged in. This makes me believe it to be a bad practice to keep the anonymous cookie hanging around - and that I should always call ClearAnonymousIdentifier();
For instance I have a new store and an old store. I want users that have access to the 'new store' to never be put back on the old store. Obviously - as with most shopping carts you don't need to autenticate to begin a session. Therefore I think the only way is to call 'ClearAnonymousIdentifier' as designed but keep a secondary cookie 'UseNewStore' to track which store they should go to.
is this a good interpretation. Or should I just not care that Profile_MigrateAnonymous is being called all the time?
Don't bother with it. There is a simpler way
Migrating Profile Properties During Log On
http://msdn.microsoft.com/en-us/library/taab950e.aspx