Environment: ASP.net 4.5, Webforms
I have a composite control that is basically two elements:
- What the user sees and interacts with
- A hidden input that's used to send data to the database
So basically, the control does a lot of stuff, not relevant for the question, but it has several buttons and actions a user can click which then calls an http handler, which in turn returns a response, and uses JavaScript to update the value in the hidden input field.
The page also has other controls which cause post-backs, so I'm retaining the value of the hidden input by using viewstate.
The problem is, anyone savvy enough can use JavaScript to change the value of the input, and send that data to the database.
I know httphandler is stateless, but I'm looking for a solution for this. Instead of using the hidden input, I would like to store the value in a "viewstate-type" solution, as in the client cannot interfere.
So right before my http handler returns a response, I'd like to store what is currently being updated in my hidden input via JavaScript, on the server itself.
I'm reading a bit about caching, but not sure of the best way. The value in the hidden input is simply a delimited string of values that are eventually send to a stored procedure.
One approach might be to do everything you're doing now, but instead of sending the response from the HTTP Handler as clear text, send it back as encrypted text, or sign the data so you can verify it hasn't been tampered with when it's sent back to the server.
Using a server-side storage mechanism like cache or session isn't ideal because it adds the complexity of cleaning up data when you're finished, and accounting for visiting a separate page mid-process, which would make the data invalid.