Click here to Skip to main content
Full site     10M members (32.5K online)    
Visit CodeProject.TV
Discuss CodeProject.TV

How to make ViewState secure in ASP.NET

Introduction

The ASP.NET ViewState is a client side state management mechanism. The ViewState is stored in a hidden field with an ID __VIEWSTATE. Typically, stored ViewState information looks like:

image 

Now let us look at the value. It looks likes an encrypted string. This is nothing but a Base64 encoded string, and is not an encrypted string. So it can be easily decoded.

The main reasons for using Base64 encoding are as follows:

  1. Base64 makes a string suitable for HTTP transfers
  2. It makes it a little harder to read

But people often get confused that this is an encrypted string.

Let us try to decode the string using ViewState Decoder (a nice tool created by Fritz Onion).

image

After decoding the string, we can see the exact data that is stored inside the ViewState. 

You can write a few lines of code to decode the text and you will get the actual View State information.

image

So here is how the ViewState works:

By default, ViewState is serialized into a Base-64 encoded string. On postback, the ViewState information is loaded and reapplied to the persisted state of the control in the control hierarchy.

Solution

There are two different ways in which you can prevent someone from decrypting ViewState data.

  1. You can make sure that the ViewState information is tamper-proof by using "hash codes". You can do this by adding EnableViewStateMAC=true in your page directive. MAC stands for "Message Authentication Code".

    2. image

    When we use EnableViewStateMac="True", during ViewState save, ASP.NET internally uses a hash code. This hash code is a cryptographically strong checksum. This is added with the ViewState content and stored in a hidden filed. During postback, the checksum data is verified again by ASP.NET. If there is a mismatch, the postback will be rejected.

    image

  2. The second option is to set ViewStateEncryptionMode="Always" with your page directives. This will encrypt the ViewState data. You can do this like:

    3. image

ViewStateEncryptionMode has three different options that can be set:

If you set ViewStateEncryptionMode="Always" and try to decode ViewState data, you will get information as shown below:

image

We can also enable these settings for EnableViewStateMAC and ViewStateEncryptionMode in web.config:

image

Note: Try to avoid ViewState encryption if it is not necessary as it can cause performance issues.

If you are a beginner to ViewState, please read my article on ViewState – Beginner’s Guide to View State.

 
Hint: For improved responsiveness ensure Javascript is enabled and choose 'Normal' from the Layout dropdown and hit 'Update'.
You must Sign In to use this message board.
Search 
Per page   
First Prev Next
GeneralMy vote of 5
Langa Manish		28 Dec '12 - 0:22 
GeneralAny example or code about Page.RegisterRequiresViewStateEncryption()
Domino88		19 Mar '11 - 18:32 
GeneralMy vote of 5
Sandeep Mewara		27 Jan '11 - 0:44 
Generalthanks for sharing - have 5
Pranay Rana		26 Jan '11 - 17:44 
GeneralMy vote of 5
Abhishek Sur		26 Jan '11 - 8:37 
GeneralMy vote of 5
Kunal_Chowdhury		26 Jan '11 - 7:00 
Last Visit: 31 Dec '99 - 18:00     Last Update: 13 May '13 - 16:46Refresh1

Last Updated 26 Jan 2011 | Advertise | Privacy | Terms of Use | Copyright © CodeProject, 1999-2013