0

I have a MVC4 C# application that I want to allow a client to access through code (no browser or view). The client will send a user ID which will be used to look up a record and three fields will be returned. Both the incoming and outgoing data are sensitive information so I need a solution that is secure. The application is running on a site with SSL (https), will this protect me from JSON hijacking if I use a JSON solution as two answers have suggested?

public ActionResult InAction(string id)
{ 
  // code to retrieve record and return three fields field1, field2, field3

  return (what would go here?)
}

Can I even use a Controller Action to handle this? Do I need a full blown webservice to do this, if so any links to good MVC tutorials would be helpful?

The client works in ASP (webforms) and is talking about a responder page with key value pairs, how would I do the equivalent in MVC.

Any help on getting me going is greatly appreciated.

Thank you

UPDATE: I’ve marked Brett’s JSON suggestion as the answer. I am returning a string (not an array) and the entire transaction is taking place over a SSL connection so I believe the possibility of JSON hijacking is not an issue.

  string response = field1 + "," + field2 + "," + field3;
  return Json(response), JsonRequestBehavior.AllowGet; }

If I'm mistaken on that please let me know.

tereško
  • 58,060
  • 25
  • 98
  • 150
Joe
  • 4,143
  • 8
  • 37
  • 65

2 Answers2

2

As nikeaa mentions, just create an action within you controller that returns a JsonResult

public JsonResult InAction(string id)
{
    // get some object from repository
    var repository = new ObjectRepository();
    var returnObj = repository.GetObject(id);
    return Json(returnObj, JsonRequestBehavior.AllowGet);
}

You will need to specify JsonRequestBehaviour.AllowGet to override the default .DenyGet. This opens up a security vulnerability when returning JSON with a GET request though. See this StackOverflow answer for details.

Community
  • 1
  • 1
Brett
  • 1,140
  • 10
  • 16
  • Thanks, Brett. I should have mentioned that the site running the application is https (ssl) and that I will be returning sensitive inforamtion. Since I cannot use [HttpPost] on the JsonResult I have to use .AlllowGet. I don't follow your comment that I shoud use it for security reasons, isn't .AllowGet what makes it vulnerable to JSON hijacking? The link says 'You do not want to return sensitive information using JSON in a GET request.' How could I securely return the sensitive information to the client? Will SSL protect me against JSON hijacking? – Joe Feb 12 '13 at 01:27
  • @Joe, I have edited my response, I was just stating you need that parameter to override the default behaviour. I'm no expert, but I would try to avoid sending sensitive data to the client unless they were authenticated, I would imagine over SSL is better. Also to avoid the JSON hijacking, I think one method would be to ensure the response is encapsulated in an object rather than being an array. – Brett Feb 12 '13 at 11:23
  • I've marked this as the answer. I thought the phrasing on .AllowGet was still confusing. I took the liberty of editing your response to make it clearer. Thanks – Joe Feb 12 '13 at 16:10
  • Sorry, I had upvoted but not clicked the arrow. Done now, thanks again. – Joe Feb 12 '13 at 21:09
0

It depends on the the format you want to return the data in. For example, if you wanted to return the data in JSON format, you could use the following:

return (Json(userResultModel));

You would probably also want to change the method's return type to JsonResult.

nikeaa
  • 1,047
  • 7
  • 17