[SOLVED] Security consideration when using Global Variables in Webforms Pages?

Issue

I have a webforms application and i have declared few global variables as follows:

public partial class Default : System.Web.UI.Page
{
   protected string testvar;
}

This variable is used by multiple functions to share values and do operations.
I wanted to know does this add up any security issues when using global variables like this (can this be accessed directly by users? or value be manipulated by any user?) and is this value shared between users?

I tried finding multiple resources here but was unable to find one which could answer the security side of this approach.

Thanks!

Solution

Local vars, and even global vars do NOT persist. If they are during testing, then you just being lucky. I don’t think there is any security concerns, but such values go out of scope.

I fact, any local vars and even vars scoped global to the web form also go out of scope AFTER the post-back is done, code behind runs, and then the page is sent back to the client side. At that point, the web server quite much does NOT keep that web page loaded server side. the web server is just sitting there – and is waiting for ANY use to click a button – and they can all be on different web pages.

So, if you need to persist values, then you REALLY have to use session().

Session() is scoped global, but ONLY to the one given user.

However, even with sesison() you often have to be careful. Say you have a page with a grid view – to select a house to buy. You click on one row, get the PK row value, shove it into session, and then jump-navagate to a page that shows detials about tht house. Be careful writing code on that next page that assumes and uses sesison() with the PK id.

Why?

Well, becuase the user might have two copies of the broser runniing or even multiple tabs open. If two tabs are on that first grid view, then the user while looking at the current house might go to the other tab (with grid view) and now select a differnet house. You now have two pages open, but a session(PK value) is now the last grid row clicked on. If you then go back to other page with the one house on, and click buy house – and that code uses session()??

You just bought the wrong house – since session() is global to that user.

there is/are boatloads of articles on how to deal with this issue – and most of them are VERY ugly.

What I do?
I adopt this coding rule:

I use session to PASS values to the next page, but on first page load (not isPostBack), I then transfer the few values into ViewState. That way, all code, and opertaion of that new page is based on ViewState as opposed to session().

The result? well, now the user can have 5 or 2 browser tabs open, and my code will cointine to work.

So in summary:

Global (and useally often static) vars, are global to all users – I suggest not using them as a result. And if they are not static (constants), then again, such values do NOT hold their values – they might for a bit, but if you start writing code that assumes this, the instant you get your site into production with many users – you find it don’t work.

Session()

Session is great, is secure, and often eliminates the need to have ugly parameters in the URL. And they are global to the ONE user. But as noted, caution since if that use has multiple tabs open, or multiple copies of their browser open – or even different browsers open to that web site? They ALL SHARE the same session() for the one user.

ViewState:
View state is per page – and limited to ONLY that page. They are 100% re-created on a first page load. The only caution here? Don’t load up much or big objects into ViewState, since viewstate is stored in the browser – and travels along for EACH post back. So, if you load up viewstate with a lot of data or variables? Then that will bloat up the operation of the web page, since each and every button click etc. has to pass and hold and keep the view state as part of that web page.

So, a good design pattern, and one that will allow you to write applications that don’t step on each others toes so to speak?

Use session to pass values – it works great and you can’t use viewstate for this purpose. On first page load – as quick and as fast as possible transfer the session() values you need and want for that pages operation. That way, all pages operation is not tied to session() variables, which as noted is global to the one user. View state is in fact ONLY global to the one web page – it actually does not care about the one user.

So don’t use session for ANY variable or value that belongs to the ONE page in your code behind. But, sure, use session() to pass values to the next page your code jumps to – but then follow above rule and move such session values into ViewState for continued operation of that one given page.

But, attempting to use global memory variables? Nope – don’t even try – it not workable at all – not one bit.

Answered By – Albert D. Kallal

Answer Checked By – David Goodson (BugsFixing Volunteer)

Leave a Reply

Your email address will not be published. Required fields are marked *