Wednesday, November 13, 2013

ASP.NET View State

The "state" of a web page is the properties of the controls on the page.  When you do a post back, it is desirable to save this info if you are posting back to the same page.  For example, if you are just paging through a grid or something.  ASP just sticks the view state in a hidden input field named "__ViewState".

It is not stored in English though.  It is encoded using Base64.  However, since anyone can decode a Base64 string, the view state data is considered openly readable by anyone.  Plus, a malicious user could tamper with the view state to do something evil.  To deal with this, ASP will "hash" the view state and then store the result of the "hash" in the __ViewState field.  ASP runs the view state and the MAC (Machine Authentication Code) and runs them through a hashing algorithm to produce the hash value stored in the source.  Hashing the view state protects the view state from being tampered with.  However, the view state data can still be viewed even though it has been hashed.  Not sure how at the time of this writing, but apparently, it can be done.  Anyway, if there is something especially confidential in the view state you can encrypt it.

If you want to see what is in the __ViewState field, just run Fiddler and post a web page in a browser.  Look at the source and locate the __ViewState field.  Select the gobblygook, right click and sent it to the TextWizard.  Decode it from Base64 to see the data.  If it is still gobblygook, then it has been hashed or encrypted or both.  You'll need to turn off hashing and encrypting the view state.  You can do this in the web.config file by adding this inside the system.web node:
<pages viewStateEncryptionMode="Never" enableViewStateMac="false" ></pages>
Recently, I was told that some of our .net 2.0 applications were not encrypting the view state.  In fact, when I viewed it in Fiddler, it wasn't even hashed!  So I added this to the system.web node in the web.config file:
<pages viewStateEncryptionMode="Always" enableViewStateMac="true" ></pages>
Interestingly, I had to add this:
<machineKey validation="3DES" />
inside the system.web node as well.  I'm not sure why I had to do this on one site but not the other.  I the Machine Key section in IIS for the site was configured differently, but I'm not positive.  Just make sure the view state is actually being encrypted by using Fiddler.

It appears that the hashing and encryption of the view state is done by default in later versions of the .NET Framework.

Posted by at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)