How to pass the ASP.NET user and routing data to JavaScript?

By Asp

I have some data about users and routes in ASP.NET.
How to use it in JavaScript?

Currently, I have the following lines in the _Layout.cshtml file:

@{ Html.RenderAction("ContextScript", "WebParts "); }

ContextScript is an action that returns the following partial view:

Then, many bundled scripts are reading this context.

However, I firmly believe there is A better choice because:

>User and routing information is available globally, polluting it and making this context available for malicious browser plugins, XSS injection scripts (who knows), etc.
>Disclosed some information about the implementation to the end user

What is the correct and safe way to do this?

From more than two years of experience, I can see my unanswered questions. I want to talk about using AJAX Probably the most suitable solution:

In other words, RouteData can be injected as is:

But user data should be exposed as API:

// ASP.NET -> Models
public class CurrentUserModel
{
 public CurrentUserModel(...) 
 {
 // initialize properties
 }

 public bool IsAuthenticated {get; }

 public string Username {get; }

 // other properties go here
}

// AS P.NET -> Controllers
public class UserController: ApiController 
{
 // GET /user/current
 [HttpGet] 
 [AllowAnonymous]
 public async Task Current()
 {
 CurrentUserModel model = new CurrentUserModel(...);
 return Ok(model); 
 }
}

// Client-side

The GET operation is used here as a REST-style example. Additional security considerations are required. For example, if your API is hosted on the same domain and used Cookie for authentication, then please consider applying AntiForgeryToken or switching to the POST method to prevent CSRF attacks.

I have some data about users and routing in ASP.NET.
How to use it in JavaScript?

Currently, I have the following lines in the _Layout.cshtml file:

@{ Html.RenderAction("ContextScript", "WebParts "); }

ContextScript is an action that returns the following partial view:

Then, many bundled scripts are reading this context.

However, I firmly believe that there is one A better choice because:

>User and routing information is available globally, polluting it and making this context available for malicious browser plugins, XSS injection scripts (who knows), etc.
>Disclosed some information about the implementation to the end user

What is the correct and safe way to do this?

Judging from my own unanswered questions from more than two years of experience, I would like to say that using AJAX may be the most appropriate solution:

< /p>

In other words, RouteData can be injected as-is:

But user data should be exposed as API:

/ / ASP.NET -> Models
public class CurrentUserModel
{
 public CurrentUserModel(...) 
 {
 // initialize properties
 }


 public bool IsAuthenticated {get; }


 public string Username {get; }


 // other properties go here
}

// ASP.NET -> Controllers
public class UserController: A piController 
{
 // GET /user/current
 [HttpGet] 
 [AllowAnonymous]
 public async Task Current()
 {< br /> CurrentUserModel model = new CurrentUserModel(...);
 return Ok(model); 
 }
}


// Client-side
 


The GET operation is used here as a REST-style example. Additional security considerations are required. For example, if your API is hosted on the same domain and uses cookies for authentication, then please consider applying AntiForgeryToken or switching to POST Methods to prevent CSRF attacks.
, , , , , , ,

Leave a Comment

Your email address will not be published.