Encrypted view state in asp.net mvc

Question

I know view state doesn't exsists in mvc. I'm looking for somthing similar to encrypted view state mode in asp.net web forms. I want to hide some data in request.

What I'm trying to achieve is to pass some data to response and hide it from the user. I don't what the user to be able to modify the data or see it. By keeping that data hidden on client side i want to reduce service calls, since I can't use session to keep that data.

The data won't be displayed at all. I just need to pass it later to service.

Answer 1

So I've found the answer to my question. There is MVC3Futures project which adds desired behavior.

It's possible to serialize entier model and encrypt it.

@Html.Serialize("Transfer", Model, SerializationMode.EncryptedAndSigned)

Binding in controller is automated by putting deserialized attribute.

public ActionResult Transfer(string id,[Deserialize(SerializationMode.EncryptedAndSigned)]Transfer transfer)

Answer 2

You just need to encrypt the value before putting inside the hidden input field then decrypt it on the server when it's posted.

Look up how to do simple encryption/decryption in C#. Here's a few good implementations:

http://www.joshrharrison.com/archive/2009/01/28/c-encryption.aspx

https://stackoverflow.com/a/5518092/160823

Answer 3

1. Though i really don't know what you are encrypting. but if you want to avoid CSRF or data tampering then go for this.

you can use AntiForgeryToken() for validating agains the tampered data. The anti-forgery token can be used to help protect your application against cross-site request forgery. To use this feature, call the AntiForgeryToken method from a form and add the ValidateAntiForgeryTokenAttribute attribute to the action method that you want to protect.

In view use like this AntiForgeryToken

@Html.AntiForgeryToken()

In controllers

[ValidateAntiForgeryToken]
Public ActionResult SomeAction()
{
  return view()
}