Is it a bad idea to put sensitive information (user ID's, connection strings, things I might not want visible to other user's) in the ViewBag? Can an external user get to that info in any way?
My thought is no, they can not get to it (I have tried, not that I am in LulzSec) but I was curious on other people's thoughts.
Thanks in Advance!
ViewBag is session based and it only the CURRENT request based and as such has the same constraints as the session with the added benefit that it is deleted at the end of that request, so no - this is not accessible. Even if someone could steal your session id and hijack the session, viewdata would be gone.
TempData is another story and session hijacking would allow a user to hijack another session - hence tempdata but a user still wouldnt be able to see that by default unless you have this information emitted into trace info. So basically if I could steal your session, whatever code you have on the next request would be executing for me, and not for the user its 'waiting' for on the next request. But - they still can't enumerate it and access it themselves.