Hi I was wondering in .NET 2.0 what is the best way to transfer parameters between pages? I cannot allow the user to modify these parameters, so I was thinking of using Session variables. Is this a safe method? Is there a way for the user to modify it?
+2
A:
Users cannot modify variables you store in Session[].
But you should still be aware of other session attacks like Session Fixation, and Session Hijacking. ASP.Net abstracts aware a lot of this security and handles it for you, but it's still good to know.
Tom Ritter
2009-03-09 18:11:31
A:
For it to be secure 100% it should be kept on the server.
Session is a good choice (also DB, but it require more resources-> less performance).
Although I say 100%, it depends on how you implement it.
Itay Moav
2009-03-09 18:12:22
A:
There is no way a user can modify the Session state without tricking your application to modify it for them. So for keeping info about the user secure between responses its a decent starting point.
Will
2009-03-09 18:12:37
+1
A:
You could also store it in the ViewState and set enableViewStateMAC to true. ViewState validation would fail if anyone tampered with the viewstate data.
Nick
2009-03-09 18:15:22