1

I know view state doesn't exsists in mvc. I'm looking for somthing similar to encrypted view state mode in asp.net web forms. I want to hide some data in request.

What I'm trying to achieve is to pass some data to response and hide it from the user. I don't what the user to be able to modify the data or see it. By keeping that data hidden on client side i want to reduce service calls, since I can't use session to keep that data.

The data won't be displayed at all. I just need to pass it later to service.

jan salawa
  • 1,198
  • 1
  • 8
  • 25
  • 1
    "I don't want the user to be able to modify the data or see it". There are many ways to attempt this, but in one way or another, some part of your web app *will have to see the data*, which also (generally) means, if stuff has to happen client-side, that one way or another, the user will also have access to it if they know how to use a debugger. That doesn't mean you can't take measures to make it painful/tedious to get the data, of course. – JayC Mar 15 '13 at 14:02
  • 1
    Encrypted view state is another matter entirely. The server gets to keep any decryption key server side only. Since you'd want your app to *show* the data client-side, your app would have to decrypt client-side, which necessitates giving your client-side app the decryption key/method. – JayC Mar 15 '13 at 14:11
  • Read again pls. I just want to hide complytly hidden fields. So user won't be able to change or see that data. And i can reuse it on server side without worry that it was modified. – jan salawa Mar 15 '13 at 14:42
  • And just how do you expect these "fields" to be hidden? If you want some data "completely hidden", don't send it! But your original post said you want "to pass some data to response and hide it from the user". It isn't clear to what degree you want to this data "hidden". For instance, if you just want a hidden field, use ``. But you said that you don't want the user to change this data. Just how so? Is it OK that the info be sent in the mark up, just not "visible" ? Do you just need some sort of anti-tampering measures? Then read up on digital signatures. – JayC Mar 15 '13 at 15:54
  • My original question was if there is some kind of similar mechanism to encrypted view state. Can we talk on chat here http://chat.stackoverflow.com/rooms/26254/encrypted-view-state-in-asp-net-mvc? – jan salawa Mar 15 '13 at 15:58

3 Answers3

1

You just need to encrypt the value before putting inside the hidden input field then decrypt it on the server when it's posted.

Look up how to do simple encryption/decryption in C#. Here's a few good implementations:

http://www.joshrharrison.com/archive/2009/01/28/c-encryption.aspx

https://stackoverflow.com/a/5518092/160823

Community
  • 1
  • 1
Omar
  • 39,496
  • 45
  • 145
  • 213
  • yes and sign it so i'll know if user modified it. I was trying to find something like encrypted view state which is implemented by framework. – jan salawa Mar 15 '13 at 16:47
1

So I've found the answer to my question. There is MVC3Futures project which adds desired behavior.

It's possible to serialize entier model and encrypt it.

@Html.Serialize("Transfer", Model, SerializationMode.EncryptedAndSigned)

Binding in controller is automated by putting deserialized attribute.

public ActionResult Transfer(string id,[Deserialize(SerializationMode.EncryptedAndSigned)]Transfer transfer)
jan salawa
  • 1,198
  • 1
  • 8
  • 25
0
  1. Though i really don't know what you are encrypting. but if you want to avoid CSRF or data tampering then go for this.

you can use AntiForgeryToken() for validating agains the tampered data. The anti-forgery token can be used to help protect your application against cross-site request forgery. To use this feature, call the AntiForgeryToken method from a form and add the ValidateAntiForgeryTokenAttribute attribute to the action method that you want to protect.

In view use like this AntiForgeryToken

@Html.AntiForgeryToken()

In controllers

[ValidateAntiForgeryToken]
Public ActionResult SomeAction()
{
  return view()
}
Ravi Gadag
  • 15,735
  • 5
  • 57
  • 83
  • I know about this method and it doesn't help with my problem. What I'm trying to achieve is to pass some data to response and hide it from the user. I don't what the user to be able to modify the data or see it – jan salawa Mar 15 '13 at 13:02
  • 2
    @jansalawa Rule #1 never ever trust User Inputs. and dont store such information on client side. he may have better tools to tamper the data – Ravi Gadag Mar 15 '13 at 15:04