- MVC3-在ViewBag中放入敏感信息

原文 标签

MVC3 - Putting Sensitive Information in the ViewBag

Is it a bad idea to put sensitive information (user ID's, connection strings, things I might not want visible to other user's) in the ViewBag? Can an external user get to that info in any way?

My thought is no, they can not get to it (I have tried, not that I am in LulzSec) but I was curious on other people's thoughts.

Thanks in Advance!


ViewBag is session based and it only the CURRENT request based and as such has the same constraints as the session with the added benefit that it is deleted at the end of that request, so no - this is not accessible. Even if someone could steal your session id and hijack the session, viewdata would be gone.

TempData is another story and session hijacking would allow a user to hijack another session - hence tempdata but a user still wouldnt be able to see that by default unless you have this information emitted into trace info. So basically if I could steal your session, whatever code you have on the next request would be executing for me, and not for the user its 'waiting' for on the next request. But - they still can't enumerate it and access it themselves.





相关推荐 - 如何从JsonResult对象获取实际的JSON以进行单元测试? - 模拟查询字符串-Rhino Mocks-MVC3 - 在所有Razor视图中导入命名空间

ajax - 根据从父级下拉列表中选择的内容填充子级下拉列表

.net - 验证使用.Net MVC 3在ViewModel中更改密码的当前密码的最佳实践?

c# - 302重定向仍尝试运行原始请求 - 如何扩展/覆盖MVC html.LabelFor

c# - global.asax中需要UrlHelper

javascript - 通过Javascript返回值将值传递给Controller View MVC3 Razor

c# - Nhibernate连接池问题