最佳实践页面之间传递数据 [英] Best Practices for Passing Data Between Pages

问题描述

问题

在我们再利用项目之间的堆栈，我们正在把一个有点太多数据会话页面之间传递数据。这在理论上是好的，因为它prevents篡改，重放攻击等，但因为它解决它创造尽可能多的问题。

In the stack that we re-use between projects, we are putting a little bit too much data in the session for passing data between pages. This was good in theory because it prevents tampering, replay attacks, and so on, but it creates as many problems as it solves.

会话损失本身就是一个问题，虽然它的大多的通过实现会话状态服务器（或通过使用SQL Server）来处理。更重要的是，它的棘手正确地使后退按钮的工作，这也是额外的工作来创建这样一种情况，用户可以，比方说，在三个选项卡中打开同一个屏幕上不同的记录工作。

Session loss itself is an issue, although it's mostly handled by implementing Session State Server (or by using SQL Server). More importantly, it's tricky to make the back button work correctly, and it's also extra work to create a situation where a user can, say, open the same screen in three tabs to work on different records.

而这只是冰山的一角。

有大多数的这些问题的解决方法，但我离开磨，这一切的摩擦给我的感觉就是使用会话页面之间传递数据是错误的方向。

There are workarounds for most of these issues, but as I grind away, all this friction gives me the feeling that passing data between pages using session is the wrong direction.

我真的想在这里做的就是拿出我的店可以使用所有的时间在页面间传递数据，那么，对于新应用，取代目前依靠届我们堆栈的关键部分的最佳做法。

What I really want to do here is come up with a best practice that my shop can use all the time for passing data between pages, and then, for new apps, replace key parts of our stack that currently rely on Session.

这也将是很好，如果最终的解决方案并没有样板水暖code的山脉导致。

It would also be nice if the final solution did not result in mountains of boilerplate plumbing code.

提出的解决方案

的会话的

如前所述，在会话扶着沉重的看起来的是一个好主意，但它打破了后退按钮，并导致一些其他问题。

As mentioned above, leaning heavily on Session seems like a good idea, but it breaks the back button and causes some other problems.

有很多方法可以解决所有的问题，但它似乎想了很多额外的工作。

There may be ways to get around all the problems, but it seems like a lot of extra work.

有一件事情是非常好的关于使用会话是事实，篡改仅仅是不是一个问题。相比于通过未加密的查询字符串传递一切，你写出来更后卫code。

One thing that's very nice about using session is the fact that tampering is just not an issue. Compared to passing everything via the unencrypted QueryString, you end up writing much less guard code.

的跨页投递的

在真相，我勉强算这个选项。我与它使页面是如何紧密耦合的一个问题 - 如果我开始做previousPage.FindControl（SomeTextBox），如果我想要得到这个网页从另一个页面，也许这似乎是一个维护问题不具有称为SomeTextBox控制

In truth I've barely considered this option. I have a problem with how tightly coupled it makes the pages -- if I start doing PreviousPage.FindControl("SomeTextBox"), that seems like a maintenance problem if I ever want to get to this page from another page that maybe does not have a control called SomeTextBox.

这似乎在其他方面的限制，以及。也许我想通过一个链接以获取页面，例如。

It seems limited in other ways as well. Maybe I want to get to the page via a link, for instance.

的查询字符串的

我目前倾向于这种策略，就像昔日。但我可能希望我的查询字符串进行加密，以使其更难乱动，我想处理的重放攻击的问题也。

I'm currently leaning towards this strategy, like in the olden days. But I probably want my QueryString to be encrypted to make it harder to tamper with, and I would like to handle the problem of replay attacks as well.

在从罗拉， 4人有这个的文章。

然而，应该有可能创造一个HttpModule该负责的所有这一切，并删除所有的加密香肠决策从页。果然，的Mads克里斯滕森有一篇文章，他发行了一张。但是，评论让它听起来像它有极常见的场景问题。

However, it should be possible to create an HttpModule that takes care of all this and removes all the encryption sausage-making from the page. Sure enough, Mads Kristensen has an article where he released one. However, the comments make it sound like it has problems with extremely common scenarios.

其他选项

当然，这是不是在选项的exaustive的样子，而我考虑的主要选项。 此链接包含了更完整的列表。那些我没有提到，如Cookies和缓存不适合页面之间传递数据的目的。

Of course this is not an exaustive look at the options, but rather the main options I'm considering. This link contains a more complete list. The ones I didn't mention such as Cookies and the Cache not appropriate for the purpose of passing data between pages.

最后...

那么，你是如何处理的页面之间传递数据的问题？你有什么隐藏的陷阱来解决，以及是否有解决这个能解决所有这些完美的pre-现有的工具？ 不要的你觉得你已经得到了你和？

So, how are you handling the problem of passing data between pages? What hidden gotchas did you have to work around, and are there any pre-existing tools around this that solve them all flawlessly? Do you feel like you've got a solution that you're completely happy with?

在此先感谢！

更新：万一我不是足够清楚的，通过页面之间传递数据的我说的，例如，通过一个客户ID钥匙从CustomerSearch.aspx页面， Customers.aspx，那里的客户将被打开，可发生编辑。

Update: Just in case I'm not being clear enough, by 'passing data between pages' I'm talking about, for instance, passing a CustomerID key from a CustomerSearch.aspx page to Customers.aspx, where the Customer will be opened and editing can occur.

推荐答案

几个月后，我以为我会更新我结束了持续的技术这个问题，因为它一直这么好。

Several months later, I thought I would update this question with the technique I ended up going with, since it has worked out so well.

与更复杂的会话状态处理（这导致了很多破回按钮等），我结束了我自己的滚动code来处理加密的查询字符串打后。这是一个巨大的胜利 - 我所有的问题场景（后退键，多个标签同时打开，丢失会话状态等）的解决，复杂性是最小的，因为使用率是非常熟悉。

After playing with more involved session state handling (which resulted in a lot of broken back buttons and so on) I ended up rolling my own code to handle encrypted QueryStrings. It's been a huge win -- all of my problem scenarios (back button, multiple tabs open at the same time, lost session state, etc) are solved and the complexity is minimal since the usage is very familiar.

这仍然不是灵丹妙药的一切，但我认为这是对你有好处碰到的情景约90％。

This is still not a magic bullet for everything but I think it's good for about 90% of the scenarios you run into.

详细信息

我建立了一个类调用CorePage，从页面继承。它有方法调用SecureRequest和SecureRedirect。

I built a class called CorePage that inherits from Page. It has methods called SecureRequest and SecureRedirect.

所以，你可以称之为：

 SecureRedirect(String.Format("Orders.aspx?ClientID={0}&OrderID={1}, ClientID, OrderID)

CorePage解析出的查询字符串，并将其加密到名为CoreSecure QueryString变量。因此，实际的请求是这样的：

CorePage parses out the QueryString and encrypts it into a QueryString variable called CoreSecure. So the actual request looks like this:

Orders.aspx？CoreSecure = 1IHXaPzUCYrdmWPkkkuThEes％2fIs4l6grKaznFGAeDDI％3D

Orders.aspx?CoreSecure=1IHXaPzUCYrdmWPkkkuThEes%2fIs4l6grKaznFGAeDDI%3d

如果可用，当前登录的用户名添加到加密密钥，所以重放攻击是不是太大的问题。

If available, the currently logged in UserID is added to the encryption key, so replay attacks are not as much of a problem.

从那里，你可以调用：

X = SecureRequest("ClientID")

结论

一切工作无缝，使用熟悉的语法。

Everything works seamlessly, using familiar syntax.

在过去的几个月我也适应了这个code。与边缘的情况下，如触发一个下载链接的工作 - 有时你需要生成，有一个安全的查询字符串在客户端上的超链接。这一工程真的很好。

Over the last several months I've also adapted this code to work with edge cases, such as hyperlinks that trigger a download - sometimes you need to generate a hyperlink on the client that has a secure QueryString. That works really well.

让我知道如果你想看到这个code，我就会把它在哪儿。

Let me know if you would like to see this code and I will put it up somewhere.

最后一个思想：它的怪异接受我自己过一些很周到的帖子其他人把这里的答案，但是这确实似乎是最终的答案，我的问题。感谢大家谁帮我弄那里。

One last thought: it's weird to accept my own answer over some of the very thoughtful posts other people put on here, but this really does seem to be the ultimate answer to my problem. Thanks to everyone who helped get me there.

这篇关于最佳实践页面之间传递数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！