"Using the namespace and type name of the component consuming the data protection APIs is a good rule of thumb, as in practice this information will never conflict." - Microsof Docs
I want to protect some URL data using a data provider.
Should I use a different purposed string for each controller on CreateProtector?
In case, If I share any data with the controller, then while unprotect the data will give an exception obviously.
So, should I use a unique purposed string for all the controllers or should I use a unique purposed string for each controller?
Should I use a different purposed string for each controller on CreateProtector?
This question you asked, this needs to be decided according to your needs. In general, a purpose string is sufficient.
Microsoft doc:
When you create a protector you must provide one or more Purpose Strings. A purpose string provides isolation between consumers. For example, a protector created with a purpose string of "green" wouldn't be able to unprotect data provided by a protector with a purpose of "purple".
I think this is only for your current application, a function of data protection provided, only to generate and verify data.
Assuming that the strings used in webappA and webappB are both string1, the protected string generated in webappA cannot be parsed in webappB.
This shows that it is relatively safe, so you can use different purpose strings in different controllers. Only when parsing, the corresponding controller needs to use the corresponding purposed string.