Hi, what is your preferred method to maintain state of an asp.net page, if it is a public website (involving shopping cart, wish-list etc). I am in the process of designing a website that will need to ensure that the user is not able to tamper with the state (such as delete cookies etc).
I am in the process of designing a website that will need to ensure that the user is not able to tamper with the state (such as delete cookies etc).
I would use the session state. It's easy and effective.
You can't stop them from tampering with it as far as deleting cookies etc. Maybe altering the cookies, but not deleting them.
You can store the vital information on the server, so no sensitive information is stored on the client in a cookie etc.
To prevent user tampering you will need to store session state on the server side. A good practice is store it either in a database (sql server) or out of process, which can be either on the same server or another server, sometimes called a state server.
The preferred method of maintaining state is using viewstate. However, you want to keep the amount you store in it to a minimum as it will noticeably affect speed.
If you need to store information from page to page, I would recommend using session state. It's easy and very flexible.
The user will always be able to tamper with any method you use to store state. Consider these examples:
- Cookies - can alter, delete
- Session - can delete, timeout, change session key
- ViewState - can mess with the key
I encrypt my data and store the key in a cookie - such as cart id, user id, etc.. The cookie can be loaded at login and can be tampered with, but because the key encrypted, no real harm can be done. Storing in the session can work, but the timeouts have bitten me on many occasions and requires more considerations.
Both of those pieces of data (shopping cart & wish list) sound like they should be stored in your database, so they can persist beyond cookies being deleted or the session timing out.