ASP.net sensitive information storage

Question

I'm having a small trouble with ASP.net. I have a small DataTable that i need to be page dependent and also user inaccessible. What i mean is:

If i store the data from the DataTable inside a Hiddenfield, the hiddenfield is page dependent (different values for multiple same page requests) but its not user inaccessible since a user can modify its content and then post back.

If i store the Datatable in session, that is user inaccessible (which is good) but since some of the content from the page depends on this value, if a user opens the page multiple times (in different tabs) then the session is updated with the content from the last page requested and therefore the "older" pages are not properly rendered if a postback occurs.

Example: Take an integer variable. This is sensitive information. I need to save this value to so that users cannot modify it and it can also have different values for each page (same as a hiddenfield works). How can i do that? Thanks!

PS: i'm using ASP.net 4.0 with C#

Tim M. · Accepted Answer · 2013-01-11T20:21:20.153

3

Add a unique key to a hidden field; use this key to access a unique session value that is specific to the instance of the page. Even if someone guessed someone else's unique key(s), it would be useless without the session key.

Example:

<input type="hidden" value="234092735029730" id="InstanceId" runat="server" />

Generate this value the first time the instance of the page is rendered:

if( !Page.IsPostback ){
    this.InstanceId.Value = GenerateKey().ToString();
}

When retrieving a value from Session specific to that page:

string key = this.InstanceId.Value;
var value = Session[key];

To generate a page-unique ID, something like this will work:

using System.Security.Cryptography;

private static RNGCryptoServiceProvider _crypto = new RNGCryptoServiceProvider();

public static long GenerateKey(){
    byte[] bytes = new byte[8];
    _crypto.GetBytes( bytes );
    return BitConverter.ToInt64( bytes, 0 );
}

Keep in mind that that Session isn't necessarily 100% secure (e.g. Session fixation attacks) but it is orders of magnitude more secure than storing the information in the data sent to the client.

edited Jan 11 '13 at 20:21

answered Jan 11 '13 at 20:15

Tim M.

53,671
14
120
163

1

Beautiful approach. I'll mark it as answered after i'm done :) Thanks. – osmiumbin Jan 11 '13 at 20:56
1

Excellent. An additional note: if you put large data (like a DataTable) into Session, try to clean up all those unique copies. For example, if a user clicks a "close" button on a form, you could remove that specific instance from session. Of course, you can't do much if they just close the browser. – Tim M. Jan 11 '13 at 21:04
The datatable is small (4 cols x 20 rows all integers - so i guess is very small). One question: all those session instances are disposed when the user closes the browser yes? And i suppose that session objects are not globally accessible to all users (Session[key] for user 1 is not accessible for user 2 right?). Thanks again! – osmiumbin Jan 11 '13 at 21:36
1

Yes, session is unique per user. You don't need to worry about that at all. The session isn't abandoned immediately when the user closes the browser, but it will be cleaned up automatically after the timeout expires. – Tim M. Jan 11 '13 at 21:38

ASP.net sensitive information storage

1 Answers1

Linked