Quote:
You also want to sign your ViewState with the current user session and prevent the ViewState from being passed in on the query string to block what some refer to as a one-click attack
Preventing One click attack:
void Page_Init(object sender, EventArgs e)
{
if (Session.IsNewSession)
{
Session["ForceSession"] = DateTime.Now;
}
this.ViewStateUserKey = Session.SessionID;
if (Page.EnableViewState)
{
if (!string.IsNullOrEmpty(Request.Params["__VIEWSTATE"]) &&
string.IsNullOrEmpty(Request.Form["__VIEWSTATE"]))
{
throw new Exception("Viewstate existed, but not on the form.");
}
}
}
Refer:
ASP.NET Security - Securing Your ASP.NET Applications | Microsoft Docs[
^]