Best IT Recipes

Recommendations for transferring data between pages

Problem

In the stack that we reuse between projects, we put a little too much data into a session to transfer data between pages. It was good in theory because it prevents fake, repeated attacks, etc., but it creates as many problems as it solves.

Session loss is a problem in itself, although it is mainly handled by the Session State Server application (or using SQL Server). More importantly, it is difficult to make the reverse button work correctly, as well as to do additional work to create a situation where the user can, say, open the same screen on three tabs to work with different records.

And this is just the tip of the iceberg.

Most of these problems have workarounds, but as I brush it off, all this friction gives me the feeling that passing data between pages using a session is the wrong direction.

What I really want to do here is the best practice that my store can use all the time to transfer data between pages, and then for new applications replace the key parts of our stack that currently rely on Session.

It would be nice if the final decision did not lead to the mountains of plumbing code.

Suggested Solutions

Session

As mentioned above, a heavy attack on a session seems like a good idea, but it interrupts the back button and causes some other problems.

There may be ways to get around all the problems, but this seems like a lot of extra work.

One thing that is very enjoyable in using a session is that faking is simply not a problem. Compared to passing everything through an unencrypted QueryString, you end up writing much less security code.

Submitting Cross Pages

In truth, I hardly considered this option. I'm having a problem with how strongly it is related to pages - if I start doing Prep.FindControl ("SomeTextBox"), it seems like a maintenance problem, if I ever want to go to this page from another page, which maybe does not have a SomeTextBox control.

It seems limited in other ways. Perhaps I want to get to the page via a link, for example.

Querystring

Currently, I am inclined to this strategy, as in the old days. But I probably want my QueryString to be encrypted to make it harder to intervene, and I would also like to deal with the problem of re-attacks.

For 4 guys from Rolla, there is an article about it .

However, it should be possible to create an HttpModule that takes care of all this and removes all sausage encryption from the page. Of course, Mads Christensen has an article in which he released one. However, the comments sound like he has problems with extremely common scenarios.

Other options

Of course, this is not an exaustive look at the options, but rather the main options that I am considering. This link contains a more complete list. Those that I did not mention, such as Cookies and Cache, are not suitable for transferring data between pages.

In closing ...

So how do you deal with the problem of transferring data between pages? What hidden seekers did you have to work with, and are there any pre-existing tools around this that solve them all flawlessly? Do you think you have a solution that you are completely satisfied with?

Thanks in advance!

Update: Just in case I am not clear enough, "transferring data between pages" that I am talking about, for example, passing the CustomerID key from the CustomerSearch.aspx page to Client.aspx, where the Client will be open and can be changed.

+61
query-string webforms encryption
Jul 08 '10 at 20:17
source share
6 answers

A few months later, I thought that I was updating this question with the help of the technique with which I ended up, as it worked out so well.

After playing with more complex processing of session state (which led to a lot of broken buttons, etc.), I ended my own code to handle encrypted QueryStrings. It was a huge victory - all my problematic scenarios (the "Back" button, several tabs open at the same time, lost session state, etc.) were resolved, and the complexity is minimal, since the use is very well known.

This is still not a magic bullet for everything, but I think it’s good for about 90% of the scenarios you come across.

More details

I built a class called CorePage that inherits from the page. It has methods called SecureRequest and SecureRedirect.

So you can call:

SecureRedirect(String.Format("Orders.aspx?ClientID={0}&OrderID={1}, ClientID, OrderID)

CorePage parses a QueryString and encrypts it into a QueryString variable called CoreSecure. So the actual request looks like this:

Orders.aspx? CoreSecure = 1IHXaPzUCYrdmWPkkkuThEes% 2fIs4l6grKaznFGAeDDI% 3d

If available, the current user ID is added to the encryption key, so there are not many repeated attacks.

From there you can call:

 X = SecureRequest("ClientID")

Conclusion

Everything works without problems, using the usual syntax.

Over the past few months, I have also adapted this code to work with edge cases, such as hyperlinks that trigger a download - sometimes you need to create a hyperlink on a client with a secure QueryString. It works very well.

Let me know if you want to see this code, and I'll put it somewhere.

One final thought: it’s weird to accept my own answer to some of the very thoughtful messages that other people put here, but it really seems to be the final answer to my problem. Thanks to everyone who helped me get there.

+7
Apr 29 2018-11-21T00:
source share

First, the problems you are dealing with are related to state management in an environment that does not take state into account. The struggle you are facing is not new, and this is probably one of the things that makes web development more difficult than developing Windows or developing an executable file.

With regard to web development, you have five options, as far as I know, for handling user state, which can be used in conjunction with each other. You will find that no solution works for everything. Instead, you need to determine when to use each solution:

  • Query string - Query strings are good for passing pointers to data (for example, primary key values) or status values. Query strings alone should not be considered secure, even if they are encrypted due to retry. In addition, some browsers have a limit on the length of the URL. However, query strings have some advantages, such as being bookmarked and emailed to people and essentially stateless if they are not used with anything else.

  • Cookies - Cookies are good for storing a very small amount of information for a specific user. The problem is that cookies also have a size limit, after which it just truncates the data, so you need to be careful when placing user data in a cookie. In addition, users can kill cookies or stop using them (although this will also prevent the use of a standard session). Like query strings, cookies are better, IMO, for pointers to data than for data itself if the data is not tiny.

  • Form data. These forms can take a lot of information, but at the expense of time and, in some cases, reboots. ASP.NET ViewState uses hidden form variables to store information. Transferring data between pages using something like ViewState has the advantage of working better with the back button, but can easily create ginormous pages that slow down the user experience. In general, the ASP.NET model does not work with cross-placement (although this is possible), but instead works with messages on one page and from there it goes to the next page.

  • Session - A session is good for information related to the process the user is running with, or for general settings. You can store quite a lot of information in a session due to the amount of server memory or loading time from databases. Conceptually, the session works while simultaneously downloading all the package information for the user either from memory or from the state server. This means that if you have a very large data set, you probably do not want to enter it into the session. A session may create some problems with the buttons on the rear panel, which must be mapped to what the user is actually trying to do. In general, you will find that the back button may be the scourge of a web developer.

  • Database. The last solution (which can again be used in combination with others) is that you store the information in the database in the appropriate schema with a column that indicates the state of the element. For example, if you were processing the creation of an order, you could save the order in the Order table with the "state" column, which determines whether it was real or not. You would save the order ID in the query string or session. The website will continue to write data to the table to update the various parts and children until the user can declare that they are completed and the order status is marked as a real order. This can complicate reports and queries in that they all need to distinguish between “real” items and those in the process.

One of the elements mentioned in your last link was Application Cache. I would not find this user-specific, as it is a widely used application. (Obviously, he can be trained in shoes, but he would not recommend this). I have never played with storing data in an HttpContext outside of passing it to a handler or module, but I would be skeptical that it was different from the above solutions.

In general, there is not a single solution to manage them all. The best approach is to assume on each page that the user could go to this page from anywhere (as opposed to assuming they got there using a link on another page). If you do, problems with the buttons on the button will become easier to handle (although it is still a pain). In my development, I use the first four extensively, and sometimes resort to the last solution when it requires it.

+41
Jul 12 '10 at 17:14
source share

Ok, so I want a preface to my answer; Thomas clearly has the most accurate and comprehensive answer that still remains for people starting fresh. This answer is not in the same vein. My answer comes from the perspective of a "business developer." As we all know too well; sometimes it’s just not possible to spend money rewriting something that already exists and “works” ... at least not all with one shot. Sometimes it’s best to implement a solution that allows you to move to a better alternative over time.

The only thing I would say is that Thomas is missing; client javascript state. Where I work, we found that customers are increasingly expecting applications like Web 2.0. We also found that such applications typically lead to much higher user satisfaction. With a little practice and support for some really great javascript libraries like jQuery (we even started using GWT and found it to be AWESOME), communicating with REST JST services implemented in WCF may be trivial. This approach also provides a very good way to begin the transition to SOA-based architecture and a clean separation of user interface and business logic.

But I was distracted.

It seems to me that you already have an application, and you have already expanded the boundaries of the built-in ASP.NET session management. So ... here's my suggestion (assuming you've already tried ASP.NET session management outside the process, which scales significantly better than in-process / on-box session management, and it looks like you have it because you mentioned It); NCache

NCache provides you with a drop-in replacement for ASP.NET session control settings. It is very simple to implement and can “help you” so that your application is more than enough for you to get through without any significant investment in refactoring your existing code base right away.

You can use the extra time and money to start reducing your technical debt by focusing the new development on things that are of direct business value — using a new approach (for example, any alternatives suggested in other answers or mine).

Just my thoughts.

+9
Jul 18 '10 at 7:11
source share

I would never do that. I have never had problems storing all session data in a database, loading them based on user cookies. This session is for everything, but I control it. Do not give up control of your session data on your web server ...

With a little work, you can support helper sessions and enable multitasking in different tabs / windows.

+3
Jul 08 '10 at 20:23
source share

After going through all the above scripts and answers and this link Data Definition Methods My last tip:

Cookies for:

  • ENCRYPT [userId's]
  • ENCRYPT [productId]
  • ENCRYPT [xyzIds ..]
  • ENCRYPT [etc ..]

DATABASE for:

  • cookie ID datasets
  • datatables BY COOKIE ID
  • all the other big pieces BY COOKIE ID

My consultation also depends on the below statistics and this link. Data Definition Methods :

enter image description here

+3
Jul 25 '12 at 10:22
source share

As a starting point, I find the use of critical data elements, such as the client identifier, which is best placed in the query string for processing. You can easily track / filter bad data coming from these elements, as well as allow some integration with email or other related sites / applications.

In the previous application, the only way to view an employee or record a query with their participation was to log into the application, search for an employee, or search for recent records to find a report. This became problematic, and it took a long time for someone from the relevant department to take a simple look at the records for audit purposes.

In the rewriting, I made the employee identifier and request identifiers available through the base URL "ViewEmployee.aspx? Id = XXX" and "ViewRequest.aspx? Id = XXX". The application was configured to A) filter out invalid identifiers and B) authenticate and authorize the user before allowing them these pages. What this allowed users to do first of all was to send simple emails to the auditors with the URL in the email. When they were in a big hurry, they were in the process of mass processing, they could just click on the list of URLs and perform the corresponding processing.

Other session-related data, such as modification dates and maintaining the “state” of user interaction with the application, are becoming a bit more complex, but hopefully this provides a post for you.

+2
Jul 12 '10 at 15:37
source share


More articles:


All Articles