Pass data from page to page safely

Question

I am looking forward for a method to pass data from page to page safely and avoid as It's possible the tampering.

---

• The best way to solve it, is to save the sensitive data on db server.
• Or using session persist on db server.
• Or whatever method that persists data on db server.

The fact is because of performance I wouldn't like to use such methods.

I don't know if the following is a safe way, but I would like to test it.( but i don't know if it is possible)

I would like to save the sensitive data in viewstate in encryption mode..for ex in tespage1.aspx and retrieve this from testpage2.aspx.

How can I do this, and is it safe?

Thanks in advance

Answer 1

Create a custom class to hold your sensitive data.

class myCustomeClass
{
    int id;
    string name;
    currency amount;

    '... properties to access

    '... custom methods

    '... etc.
}

If you are really paranoid include methods for encryption/decryption... Now, set up fields and properties for the data. Next, encrypt (optional). Put the thing in the Cache...

Cache.Insert("MySensitiveData", myCustomClass, null, System.Web.Caching.Cache.NoAbsoluteExpiration, System.Web.Caching.Cache.NoSlidingExpiration);

redirect to your other page

In the Page_Load event

MyCustomClass oSensitiveData;

if (!IsPostBack)
{
    oSensitiveData = (myCustomeClass)Cache["MySensitiveData"];
}

That's it, you have your data, if you encrypted it you now need to decrypt it...

There are a multitude of ways to do this but this one works for me with relatively small sets of data. If you are doing large sets of data then you might want to explore using a database such as Sql Sever, mySql, etc... to act as a 'cache' for the data.

Answer 2

Its always recommended that sensitive data, should be in the server not with the client. Anything you embed in the page is a liability. Since you have ruled out all server side options, ViewState should be the best bet I believe due to its encryption. You could also use the Page.enableviewstatemac property to have even secure viewstate transfer.

Answer 3

Two problems here... One, ViewState is not secure. By default it is just a simple BASE64 encoding. Save this data on the server, period. Anything else is asking for trouble. Two, ViewState is lost when you go to a new page, for good reason. This is NOT how you pass data from one aspx page to another.

Additionally, choosing ViewState over Session for performance reasons makes no sense in most scenarios. Using InProc Session or Cache is going to be much more efficient than ViewState.