asp.net-mvc-3 - MVC3-在ViewBag中放入敏感信息

原文 标签 asp.net-mvc-3

MVC3 - Putting Sensitive Information in the ViewBag

Is it a bad idea to put sensitive information (user ID's, connection strings, things I might not want visible to other user's) in the ViewBag? Can an external user get to that info in any way?

My thought is no, they can not get to it (I have tried, not that I am in LulzSec) but I was curious on other people's thoughts.

Thanks in Advance!

Answer

ViewBag is session based and it only the CURRENT request based and as such has the same constraints as the session with the added benefit that it is deleted at the end of that request, so no - this is not accessible. Even if someone could steal your session id and hijack the session, viewdata would be gone.

TempData is another story and session hijacking would allow a user to hijack another session - hence tempdata but a user still wouldnt be able to see that by default unless you have this information emitted into trace info. So basically if I could steal your session, whatever code you have on the next request would be executing for me, and not for the user its 'waiting' for on the next request. But - they still can't enumerate it and access it themselves.

翻译

在ViewBag中放入敏感信息(用户ID,连接字符串,我可能不希望其他用户看到的内容)是个坏主意吗?外部用户可以通过任何方式获取该信息吗?

我的想法是不,他们无法实现(我尝试过,不是说我在LulzSec中),但我对其他人的想法感到好奇。

提前致谢!
最佳答案
ViewBag是基于会话的,它仅基于CURRENT请求,因此具有与会话相同的约束,但具有附加的好处,即它在该请求的末尾被删除,因此没有-这是不可访问的。即使有人可以窃取您的会话ID并劫持该会话,viewdata也将消失。

TempData是另一回事,会话劫持将允许用户劫持另一个会话-因此,在tempdata中,除非您将此信息发送到跟踪信息中,否则默认情况下用户仍然无法看到该会话。因此,基本上,如果我可以窃取您的会话,那么无论您对下一个请求有什么代码都将为我执行,而不是为用户“等待”下一个请求。但是-他们仍然无法枚举并自己访问它。
相关推荐

asp.net - 如何从JsonResult对象获取实际的JSON以进行单元测试?

asp.net-mvc-3 - 模拟查询字符串-Rhino Mocks-MVC3

asp.net-mvc-3 - 在所有Razor视图中导入命名空间

ajax - 根据从父级下拉列表中选择的内容填充子级下拉列表

.net - 验证使用.Net MVC 3在ViewModel中更改密码的当前密码的最佳实践?

c# - 302重定向仍尝试运行原始请求

asp.net - 如何扩展/覆盖MVC html.LabelFor

c# - global.asax中需要UrlHelper

javascript - 通过Javascript返回值将值传递给Controller View MVC3 Razor

c# - Nhibernate连接池问题