Post Serialized Objects (Data) in ASP.NET

• Download sample - 27 KB

Introduction 

This is helper class to post serialized objects to other page.

Background

Many times we need to carry data from one page to another page in ASP.NET. Out of available options query string suffers security issues and size limitations; Server.Transfer is secure but keeps same old URL in browser. Third approach is posting data to page. But ASP.NET does not provide any built any functionality to do that. Here is a helper class which serializes objects, encrypts them and then posts to destination URL. Same utility can be used at destination page to read the data.

How it works?

Whole process includes following steps.

1. Serializing data :

To post data, it first needs to be serialized into a string. Here object is serialized using LosFormatter (used to serialize viewstate). Other options that can be used are XMLSerializer and SoapFormatter or any other formatter that converts objects to strings. XmlSerializer suffers from a drawback that it cannot serialize objects which implement IDictionary interface. While choosing a formatter, you will be required to think about time taken for serializing and de-serializing objects and size of formatted data.

2. Encrypting data: 

As data will be written to client before it gets posted, encryption is necessary to ensure security. Here Triple DES encryption is used. Other encryption techniques can also be used.

3. Posting data

Serialized, encrypted and HTML encoded objects are then written to client in a multipart form, as hidden fields, which is then auto-submitted using JavaScript. Noscript tag must also be written, as JavaScript might be disabled and in such a case application may get stuck and user will not know what actually happened. I have intentionally added one variable with key __TransferData, to distinguish between data posted by other utilities. It also carries Form Name as value.

4. Reading back

Reading involves decoding, decrypting and de-serializing objects.    

Using the code

Following lines of code illustrate how this utility class can be used to post data to other page:

PostDataHelper helper = new PostDataHelper(Request, Response);

//Set Form Name, by which receiving page may identify posting page
helper.FormName = "Person Form";

//Add objects with unique keys
helper.Data.Add("Person1", new Person("ABC", "XYZ"));
helper.Data.Add("Person2", new Person("123", "456"));

//Call method to post data
helper.RedirectWithData("Default2.aspx");

Objects being added need to be serializable.  As MSDN state here, Losformatter is for classes containing strings, arrays, and hash tables. So if efficiency is a concern, you can check for other serialization options. 

Reading the data is equally simple:

PostDataHelper helper = new PostDataHelper(Request, Response);

//Read posted data
helper.ReadPostedData();

//Read form name and objects
Response.Write("Form Name : " + helper.FormName + "<br/>");
if (helper.Data.HasObjectForKey("Person1"))
    Response.Write("Person1 : " + helper.Data.Get("Person1") + "<br/>");

if (helper.Data.HasObjectForKey("Person2"))
    Response.Write("Person2 : " + helper.Data.Get("Person2") + "<br/>");

Form name can be used in cases where multiple pages are posting to same page and you need to differentiate between them.

Note

If page, which is posting data, is intended to be called through a WebRequest, this utility class won't work. Reason behind this is use of JavaScript for form submission, which won't be executed by WebRequest. If, only WebRequest is going to be used (like API), you can opt for Server.Transfer and in case of mixed mode i.e. both WebRequest and browser, a flag can be passed to differentiate between calls.

History 

• Feb 25 2013: Update content and added note.