I am using MVC filterContext.HttpContext to cache result data from the server.
Is filterContext.HttpContext.Cache server side or client side? Is it secure?
Can the cached data be hacked?
What's the difference between System.Web.Caching.Cache and mvc filterContext.HttpContext.Cache?
HttpContext.Cache is stored server-side, in memory. The client cannot access it assuming you don't expose it to the client in some way. Sure, it can be "hacked" if an attacker has access to the box - ASP.NET isn't going to do anything to protect these cached values in memory. If you mean, "Does a client have direct access to these values", the answer is no - assuming you did not build anything that a client can use to get the values. However, I would absolutely not use either of these caching mechanisms for storing sensitive information.
The difference between the two has already been answered: Difference between System.Web.Cache and HTTPContext.Curent.Cache
Related
I've implemented anti-forgery protection using the ValidateAntiForgeryTokenAttribute in MVC 5. It is working fine, but in the future we may move to more of a "web farm" approach to hosting. If I run my application in development and go to a form, restart the web server (by restarting the app in Visual Studio) and then submit a form, it doesn't throw the System.Web.Mvc.HttpAntiForgeryException.
Our application doesn't use any other session state. Can someone help me understand how my server picks up where it left off? I'm not defining a machineKey in my web.config, or anywhere else that I can find. Does it have something to do with running in a development environment?
The only references I can find to this are for earlier versions of MVC, so I'm wondering if this is solved in a different way now.
I'm glad this functionality works, but I need to understand why.
The server itself isn't remembering anything; it doesn't have to.
The two things at work here are:
The form hidden input
A cookie
This means that if the user visits a page with an AntiForgeryToken on it, then the server restarts, it's no problem because the user's and the form's __RequestVerificationToken are still the same as they were.
The actual security token is a hashed key that is stored inside the AntiForgeryToken object. This object is serialised to Base 64 and that is what you see when you look at the values of the __RequestVerificationToken. Since the security keys are stored each time, even if the server resets the values are still inside those objects. The keys are then retrieved and compared in order to validate the tokens.
There is no decryption during this process. The tokens are deserialised, the security keys read and then compared. Since the security keys are not encrypted, but are rather hashed, then they cannot be decrypted; only compared.
given the nature of the project, I need to store a simple object (with 3/4 properties) in TempData. It is a read once write once so that's fine but does need to be passed between a few core methods/actions.
question is: How can I make it work with webfarms? What things are needed to be configured to allow TempData to work with a webfarm?
using MVC 4 Razor.
thank you
By default, TempData is implemented using Sessions, so this would be a problem on a farm.
The easiest solution would be to use the CookieTempDataProvider
TempData is stored in the session. This means that the only reliable way to use it in a web farm would be to have a state server of some sort.
Changing the ApplicationId (MachineKey) on all the servers to make them match does nothing for session. That only means that each server can decode the cookies left by the others. Session lives on the individual web server in memory.
If you don't have sticky sessions on your load balancer, the request that populates TempData on server 1, will likely redirect to a server different than itself and TempData will not be populated (or not with the same data that was just put in on server 1).
I want to track a user's logon session from the time they login to my site, to the time they logoff.
Is there a pre-existing cookie I should use, or variable? I thought of using ASP.NET sessionIDs but read on StackOverflow that these numbers may change.
I would save my own Session cookie, but I don't want to do something that could be done more efficiently another way. I'm using Windows Identity Foundation (WIF) to handle my authentication layer.
The only cookie I see in fiddler is a FedAuth cookie so I assume that I might be able to derive some valuable information from it, but I don't know where / how in the WIF framework to gain access to such information.
WIF gives a bunch of events you can subscribe to. See these:
http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.web.wsfederationauthenticationmodule_members.aspx
http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.web.sessionauthenticationmodule_members.aspx
You can control some of the cookie characteristic via the config - A Hidden Gem: The WIF Config Schema. In particular, note the cookieHandler section and
hideFromScript - Boolean - default true Controls whether the
"HttpOnly" flag is emitted for any cookies written. Certain web
browsers honor this flag by keeping client-side script from accessing
the cookie value.
In terms of WIF, there is a Deserialize in Tokens.SessionSecurityTokenCookieSerializer and a CookieHandler (Delete / Read / Write) in IdentityModel.Web.
I need to call a webservice which takes as parameters things like the database name, schema name, login credentials etc.
I'd ideally like to call the webservice directly from jQuery, but I feel that these parameters belong in the web config so perhaps I should be calling the webservice indirectly through an ajaxed MVC controller method.
What are peoples opinions on this? Is there an elegant solution?
Edit: It's just occured to me that I'll be exposing the server credentials to the client if I make the call from jQuery, so I guess that isn't an option unless there's a clever trick I don't know about.
Elegance is in the eye of the beholder, but you could institute a token-based system. Users of your service would apply ahead of time to use your service. You would issue a token (a GUID for this example). Each call to the service, the user would include that token as a parameter, or better, part of the request headers. On the server, you could use that token to find out the items needed by that user (database and schema names, login credentials, etc).
Again, elegance is in the eye of the beholder, but a solution like this does address the concern in the question: exposing server credentials to the client.
Jonathan has a good answer, but you could also create some sort of serialized data object that contains all the info you're concerned with, and write it to the client as an encrypted string. pass the string to the web service, and the web service would be able to decrypt and parse as needed.
I currently using my own membership implementation on a ASP.MVC project. I've got an Account and an Account can have more than 1 memberships.
I am not sure what is the best approach to follow with Account information being cached. I am currently loading the account information for almost each request from the User property of the controller.
Should I cache the account information? And if where would be the best place, cookies or Session?
I recommend fairly strongly against sessions. They won't scale well and do not fit into web/HTTP type of architectures. See 'Key REST principles' in this REST article if you like the REST stuff.
I would suggest to put the user information in cookies (don't over do it, just really required stuff).
And keep sensitive information in the ASP.NET Forms authentication cookie. See Forms Authentication article, "Step 4: Storing Additional User Data in the Ticket".
Fetch the rest of the data from the database. Avoid premature optimization.
As is often the case with these questions, the answer is "it depends".
Cookies are fine if you are only storing small amounts of string data. There are limitations (4k per cookie, HTTP header limit) and they are sent across the wire with every request and response. You might have to "re-inflate" your account/member info from data stored in the cookie. Users can opt to not accept cookies from your website.
Session is strongly-typed (no re-inflation) and not transmitted with every request/response. There are several options for scaling up session storage if you think your web app will need it. Most small-medium sites use session with no problems.