Issues porting Viewstate to Silverlight (to protect server side data) in web calls

07-02-2009 1:26 AM |

Suppose I need to call a few web services from Silverlight;  How do I securely maintain state between calls on the client side, without worring that my stateful data could be tampered with?  ASP.NET has a solution where it automatically encrypts data in the ViewState using Machine Key... what is the best alternative in SL?

Re: How do I securely maintain client side state? ASP.NET had machinekey... what does SL have?

07-02-2009 1:30 AM |

This link will help:

 http://latestdotnet.wordpress.com/2008/06/29/state-management-in-silverlight-2/

Re: How do I securely maintain client side state? ASP.NET had machinekey... what does SL have?

07-02-2009 10:33 AM |

True, Isolated Storage is how I can maintain state... but there is nothing to prevent those objects from being tampered or otherwise modified with on the client.

Suppose my WCF service is role-based, where a comma delmited string is sent to the client.  I don't want the end user modifying this string and granting them administrator rights.  ASP.NET solved this with viewstate, and used the machinekey to encrypt this information.  I haven't found a similar technology in SL...

Here is another example, a user buys items and places them into a shopping cart.  The item names, their price are all stored in an array on the client.  When the client calls my service PurchaseItems(Items, price, qty) I don't want them to modify the price, thus giving them an unexpected discount.  Although I wouldn't actually build an application with this architecture, I am really interested in addressing this scenario.

Is there a technology, framework, or otherwise standard way of encrypting, transmitting, and receiving vital information like this?

Re: Re: How do I securely maintain client side state? ASP.NET had machinekey... what does SL have?

07-03-2009 3:59 AM |

Hi Chris,

I think the one thing just to mention first is that Silverlight is a statefull client and Viewstate as you know is to be able to keep state in a otherwise stateless environment.

As far as securing data goes, you can look at System.Security.Cryptography to encrypt information if you feel you need to secure it. But since it is running in a application on the client I think it will be pretty hard to mess with your data.

Lastly you will need to transfer your data over secured services.

Hope it helps.

Porting ViewState to Silverlight?

07-06-2009 9:59 AM |

Unless I'm misunderstanding how Silverlight works with WCF, each call to a WCF service is PerCall, and no session is maintained.  That means I need to return private variables that I may not want the client to see, and definately don't want them to change.  Here is some pusedo code

CLR Object on client:
public RemoteCall
{
// Unix ProcessID that we will need to check
public int ProcessID
public string MachineName
}

WCF Service:
List<RemoteCall> GetProcesses()
{
    //Get the process relevant to the current user
}

void DoSomethingToProcess (RemoteCall)
{
    //Connect to machine named in RemoteCall.MachineName
    // Do Something to that process... lets hope that the end user didn't change our stateful variables to something bad.
}

I was able to accomplish this with ASP.Net's viewstate with no knowledge of the System.Cryptology classes.  Could anyone get me started with encrypting server-side data so that it is unreadable on the client, and only readable on the server?  I'd like something fast, and preferably with the same implementation as viewstate.

 Thanks!