I have a difficult mission to pass a system of webforms to MVC, the system with webforms has many input hiddens that store basic information like session hash and user code, but as I, in my humble opinion, think half insecure and even laborious to use input hiddens in MVC, can I use something else instead?
Thank you!
You can use the session object to store the information.
The Session object allows the developer to obtain the data, previously persisted in the session, for a certain time in the Session (default 20 minutes). But, use this feature sparingly, storing only the required data of your user, since session data is stored by default in memory, too much data can trigger scalability issues.
//Variáveis do usuário
string firstName = "Jeff";
string lastName = "Smith";
string city = "Seattle";
//Salvando informações na sessão.
Session["FirstName"] = firstName;
Session["LastName"] = lastName;
Session["City"] = city;
//Lendo variáveis da sessão.
firstName = (string)(Session["FirstName"]);
lastName = (string)(Session["LastName"]);
city = (string)(Session["City"]);
Example:
public class MeuController
{
//Trabalhando com a session em uma propriedade do controller
public static Pessoa dadosPessoa
{
get
{
if(Http.Context.Current.Session["pessoaX"] == null)
{
Pessoa p = new Pessoa();
//Cria uma variável na session chamada pessoaX contendo um objeto p
Http.Context.Current.Session["pessoaX"] = p;
return p;
}
else
{
return (Pessoa)Http.Context.Current.Session["pessoaX"];
}
}
}
public ActionResult Index()
{
//Recuperando dados previamente persistidos na sessão
var pessoa = (Pessoa)(Session["pessoaX"]);
var lista = obterDadosRepositorio(pessoa);
return View("Index", lista)
}
}
//Acessando dados na view com Razor
@{ var sessionVar = Session["pessoaX"]; }
ou
<%= this.Session["pessoaX"] %>
When a user logs into your application, you could populate and add an object with that user's data in the session and retrieve it when desired.
There is no reason to feel this lack of security. It should only be exposed in View data that can be manipulated by it.
In the case of WebForms, what happens is that this information is written to View because of a limitation of the Framework, not necessarily because the Framework is more secure. For example, in MVC you do not need to use Session Hash because all the information you need can be accessed through higher-level classes such as Request and classes that implement IPrincipal . The latter stores the user information and can be extended.
In any case, if there are any doubts in this conversion process, you can ask specific questions about some step you are having difficulty with. The community here will provide answers for you to solve your problem the best way possible.