ASP.net sensitive information storage

Question

I'm having a small trouble with ASP.net. I have a small DataTable that i need to be page dependent and also user inaccessible. What i mean is:

1. If i store the data from the DataTable inside a Hiddenfield, the hiddenfield is page dependent (different values for multiple same page requests) but its not user inaccessible since a user can modify its content and then post back.

2. If i store the Datatable in session, that is user inaccessible (which is good) but since some of the content from the page depends on this value, if a user opens the page multiple times (in different tabs) then the session is updated with the content from the last page requested and therefore the "older" pages are not properly rendered if a postback occurs.

Example: Take an integer variable. This is sensitive information. I need to save this value to so that users cannot modify it and it can also have different values for each page (same as a hiddenfield works). How can i do that? Thanks!

PS: i'm using ASP.net 4.0 with C#

Answer 1

Add a unique key to a hidden field; use this key to access a unique session value that is specific to the instance of the page. Even if someone guessed someone else's unique key(s), it would be useless without the session key.

Example:

<input type="hidden" value="234092735029730" id="InstanceId" runat="server" />

Generate this value the first time the instance of the page is rendered:

if( !Page.IsPostback ){
    this.InstanceId.Value = GenerateKey().ToString();
}

When retrieving a value from Session specific to that page:

string key = this.InstanceId.Value;
var value = Session[key];

To generate a page-unique ID, something like this will work:

using System.Security.Cryptography;

private static RNGCryptoServiceProvider _crypto = new RNGCryptoServiceProvider();

public static long GenerateKey(){
    byte[] bytes = new byte[8];
    _crypto.GetBytes( bytes );
    return BitConverter.ToInt64( bytes, 0 );
}

Keep in mind that that Session isn't necessarily 100% secure (e.g. Session fixation attacks) but it is orders of magnitude more secure than storing the information in the data sent to the client.