I´m developing a web application on ASP.NET MVC and I´m using ViewBag and TempData to store some values that will live as long until the user logout. I.e: what user is logged in, some internal IDs so I can check roles and another values that the user should not know.
My questions are:
Thanks for your answers.
TempData persists only until the next page access; ViewBag is used to pass values from the controller to the view. Neither are suitable for storing information which will last for the session. On security, they are both server side and the user will not be aware of them, so, yes, they are secure.
If you want to persists values for the duration of a session they you need a different mechanism. Several are available to you. My favourite is the use of session variables but some developers are firmly against session variables. You need to research your options further.
You should store session based data in a session.
ViewBag is there for incidental data that is needed in View. Page titles, things like that. For other data that is needed in the view, you should be using the model.
TempData is for incidental data that is needed by the next action. It can store data for one roundtrip between server-client-server; after that it is removed unless you specifically make it stick around.
None of these expose data that is a security risk, unless you are silly enough to send security data to the client on purpose.
For your purpose of checking user's role you can use MVC's role based Authorization like [Authorize(Roles = "Administrator")] .... Your For your query (2): Yes, they are secure... but is not for your purpose of storing something for long duration. For such duration developer mostly use Session which too is secure
[Authorize(Roles = "Administrator")].... Your For your query (2): Yes, they are secure... but is not for your purpose of storing something for long duration. For such duration developer mostly useSessionwhich too is secure - Rajiv Bhardwaj