Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it a bad idea to put sensitive information (user ID’s, connection strings, things I might not want visible to other user’s) in the ViewBag? Can an external user get to that info in any way?
My thought is no, they can not get to it (I have tried, not that I am in LulzSec) but I was curious on other people’s thoughts.
Thanks in Advance!
ViewBag is session based and it only the CURRENT request based and as such has the same constraints as the session with the added benefit that it is deleted at the end of that request, so no – this is not accessible. Even if someone could steal your session id and hijack the session, viewdata would be gone.
TempData is another story and session hijacking would allow a user to hijack another session – hence tempdata but a user still wouldnt be able to see that by default unless you have this information emitted into trace info. So basically if I could steal your session, whatever code you have on the next request would be executing for me, and not for the user its ‘waiting’ for on the next request. But – they still can’t enumerate it and access it themselves.