Click here to Skip to main content
15,881,172 members
Articles / Web Development / HTML

How to Make ViewState Secure in ASP.NET

Rate me:
Please Sign up or sign in to vote.
4.93/5 (20 votes)
26 Jan 2011CPOL2 min read 117.4K   21   8
Ways in which you can prevent someone from decrypting ViewState data


The ASP.NET ViewState is a client side state management mechanism. The ViewState is stored in a hidden field with an ID __VIEWSTATE. Typically, stored ViewState information looks like:


Now let us look at the value. It looks likes an encrypted string. This is nothing but a Base64 encoded string, and is not an encrypted string. So it can be easily decoded.

The main reasons for using Base64 encoding are as follows:

  1. Base64 makes a string suitable for HTTP transfers
  2. It makes it a little harder to read

But people often get confused that this is an encrypted string.

Let us try to decode the string using ViewState Decoder (a nice tool created by Fritz Onion).


After decoding the string, we can see the exact data that is stored inside the ViewState

You can write a few lines of code to decode the text and you will get the actual View State information.


So here is how the ViewState works:

By default, ViewState is serialized into a Base-64 encoded string. On postback, the ViewState information is loaded and reapplied to the persisted state of the control in the control hierarchy.


There are two different ways in which you can prevent someone from decrypting ViewState data.


When we use EnableViewStateMac="True", during ViewState save, ASP.NET internally uses a hash code. This hash code is a cryptographically strong checksum. This is added with the ViewState content and stored in a hidden filed. During postback, the checksum data is verified again by ASP.NET. If there is a mismatch, the postback will be rejected.



  1. You can make sure that the ViewState information is tamper-proof by using "hash codes". You can do this by adding EnableViewStateMAC=true in your page directive. MAC stands for "Message Authentication Code".
  2. The second option is to set ViewStateEncryptionMode="Always" with your page directives. This will encrypt the ViewState data. You can do this like:

ViewStateEncryptionMode has three different options that can be set:

  • Always: Encrypt the ViewState always.
  • Auto: Encrypt if a control requests for encryption. For this to happen, the control must call the Page.RegisterRequiresViewStateEncryption() method.
  • Never: Never encrypt the ViewState.

If you set ViewStateEncryptionMode="Always" and try to decode ViewState data, you will get information as shown below:


We can also enable these settings for EnableViewStateMAC and ViewStateEncryptionMode in web.config:


Note: Try to avoid ViewState encryption if it is not necessary as it can cause performance issues.

If you are a beginner to ViewState, please read my article on ViewStateBeginner’s Guide to View State.


This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By
Technical Lead
India India
.NET Consultant | Former Microsoft MVP - ASP.NET | CodeProject MVP, Mentor, Insiders| Technology Evangelist | Author | Speaker | Geek | Blogger | Husband

Blog :
Web Site :
Twitter : @AbhijitJana
My Kinect Book : Kinect for Windows SDK Programming Guide

Comments and Discussions

QuestionMy vote of 5 Pin
newton.saber8-Oct-14 1:48
newton.saber8-Oct-14 1:48 
GeneralMy vote of 3 Pin
Arash K121-Jun-13 4:27
professionalArash K121-Jun-13 4:27 
GeneralMy vote of 5 Pin
Manish Langa28-Dec-12 0:22
Manish Langa28-Dec-12 0:22 
GeneralAny example or code about Page.RegisterRequiresViewStateEncryption() Pin
Domino8819-Mar-11 18:32
Domino8819-Mar-11 18:32 
GeneralMy vote of 5 Pin
Sandeep Mewara27-Jan-11 0:44
mveSandeep Mewara27-Jan-11 0:44 
Generalthanks for sharing - have 5 Pin
Pranay Rana26-Jan-11 17:44
professionalPranay Rana26-Jan-11 17:44 
GeneralMy vote of 5 Pin
Abhishek Sur26-Jan-11 8:37
professionalAbhishek Sur26-Jan-11 8:37 
GeneralMy vote of 5 Pin
Kunal Chowdhury «IN»26-Jan-11 7:00
professionalKunal Chowdhury «IN»26-Jan-11 7:00 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.