Passing Data between Pages in ASP.NET

CodeGuru content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

If there’s one question I see time and time again in the various .NET forums that I frequent, it is “How do I pass data from one page to the next?” in my web application.

Those of you who are .NET veterans will likely be going ‘Groan, not another page/data passing post’, but I’m going to defend this article by reminding everyone that there was a time when even experts were seeking this knowledge. A little refresher every now and then never hurts anyone!

Why is Passing Data Such a Big Problem?

The web by its very nature is totally stateless. If you request a page, then your browser requests an image that’s on that page, those two actions as far as the web server you’re talking to is concerned, came from completely different people/computers/entities or however you want to describe yourself.

If you’ve ever done any traditional desktop application development, then this will be absolutely alien to you, because in a desktop app every bit of data you maintain is always available to each and every bit of functionality you create.

Because of this “statelessness” many different methods of trying to maintain state in a web application have been devised. Some of these methods are better than others, and it’s this fact that tends to trip most newcomers up. Generally they’re not asking how to do it, but rather asking which the best method to use is.

The Best Method for Passing Data between Pages

What is the best method for passing data between pages? The truth is, there isn’t one.

The method you use depends very much on your project and any specifics that mean one is more appropriate than others. For example, let’s take the session cache; that’s the first port of call for many folks because when they research the subject, it’s often the first thing that comes to light. But the Session Cache can actually be the source of many problems, especially in a load balanced environment where there are many back end servers which don’t actually share physical server instances.  In this case using the Session is particularly bad because you might populate a value on one request and the response might be served from a different server, leading to the value you just saved not actually having a value.

Then there’s the timeout issue; session variables (and some others) have an automatic timeout, which means that leave the page for too long and you’ll suddenly find that the value you pass doesn’t even get saved.

What you absolutely have to do is look at each method in turn and match it up against your project specifications to see which is best.  In fact, in many cases you’re actually better combining some of the methods.  For example, using an external database store needs a key to identify your data, and that key still needs to be passed from page to page in order for following pages to retrieve the actual data.

What Methods are Available for Passing Data?

There are lots of methods available for passing data. I could do an entire series on them with one article per method, and make it last for about six months! For this article, however, we’re going to look at the five or six most common methods.

Method 1 – Url parameter passing

  • Pros : Simple to use, can handle relatively large data loads, works everywhere
  • Cons : Looks ugly, not search engine friendly, very insecure, open to tampering

Example: (setting)

Response.Redirect("Page2.aspx?test=" + txtTestBox.Text);

Example: (Retrieving)

if (!string.IsNullOrEmpty(Request.QueryString["test"]))
{
  lblDefaultData.Text = Request.QueryString["test"];
}
else
{
  lblDefaultData.Text = "NO DATA PROVIDED OR COULD NOT BE READ";
}

If security is in any way of concern in your application then do not use this method.  This is single headedly one of the most common ways that an application is breached. Imagine if you will that instead of a simple text string, you appended say ‘userid=2’, and I then came along and changed the address in my browser to say ‘userid=1’ , what might happen?

An alternative to this is to use URL parameters (the method most used by ASP.NET MVC), where the url is formed something like:

http://page2/param1/param2/

This is far more friendly to search engines, but is still very insecure in so much that the values are still visible in plain text, even if it is now harder to see what the variable names are.

If you do choose to use this method, then you MUST make sure that you’re sanitising any inputs thoroughly, and not just any generated by the user; assume that everything you pass using this method is bad or has been tampered with in some way.

For simple use cases, such as linking product pages together or very simple applications such as a static blog, then this will often be a very simple to use method to use, and it scales to multiple servers easily.

Method 2 – Form Posting

  • Pros: Simple to use, can handle very large data loads, works everywhere, the defacto method used for in page forms
  • Cons: can be insecure and open to tampering using tools like fiddler, needs the user to action via a button on page (Can be automated but needs extra JavaScript)

Example: (setting)

<form method="post" action="Page2.aspx">
  <h1>Page passing tests (Method 2 - form post)</h1>
  <p>Please enter some data in the field below and click send</p>
  <input type="text" id="test" name="test

More by Author

Get the Free Newsletter!

Subscribe to Developer Insider for top news, trends & analysis

Must Read