«
»

Security Issues

Security Issues with ViewState

ViewState in ASP.NET can easily be tampered cause the ViewState data is not encrypted. Therefore, please do not store important data or information in ViewState. But if you really need to store the important data in Viewstate, few steps can be used to protect and encrypt the ViewState Data.
1. Enable ViewState Mac in page directives or in the web.config level

<%@Page EnableViewStateMAC=true %>

2. Set the machine.config key by using validation such as 3Des or Sha1. Sha1 is more secured compare to 3Des as it produces a larger hash than MD5 and is cryptographically stronger.

You need to edit your machine.config files like this.

<machineKey validation="3Des" validationKey="AutoGenerate,IsolateApps"/> or
<machineKey validation="SHA1" validationKey="AutoGenerate,IsolateApps"/>

If you are running WebFarm on your machine, you cannot use AutoGenerate in your validationKey, hence you must set the same key for all your web farm machine. Otherwise, ViewState generated from one machine could not be POSTed back to a machine farm with different key!. The keys should be 128 characters long(the maximum) and generated totally by random means.

Advertisement

This entry was posted on February 13, 2010 at 7:58 am and is filed under Dotnet. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.