Securly Passing variable values from one page to another page

Question

When passing variable from one page to another

To avoid the user messing around with the URL parameter Values

Is it best to ...

1) pass the variable via session

2) pass the variable in the URL along with a signature

Answer 1

As long as you're passing in a signature, it wouldn't matter where are you passing the values because you will always check for the signature integrity

What I would do is pass everything (including the signature) in the session. Just to keep the URL clean. But that's up to you and your particular use case.

Answer 2

If you use the session, the user cannot control the contents of the values.

Also, if you have view state encryption enabled, you could use the view state. The advantage of the view state is that it's localized to a single page. This means that when the user has two tabs open of your website, the variables are localized to the specific tabs.

See http://www.codeproject.com/KB/viewstate/AccessViewState.aspx for how to access view state from another page.

Answer 3

Depends on your use case. Session IS in most cases safer. If someone can compromise your server to get your session data, then you have different things to worry about. It would be bad though if you store session data in a place where other people can see it ;-).

URL signature could theoretically be brute-forced. Since the parameters are probably short and they may be sometimes predictable it may give someone who knows about encryption some point of attack. This is not trivial though. But if security is top option for you then I'd not allow this data to leave your server.

Answer 4

If you are really worried user going crazy and stripping down params, then you can go with Session states, however you may lose history, i.e Back Forward buttons.

The second option looks good but if user is stripping things you can't be sure that the param even existed.

So a mix of both looks good.