Viewstate

[A.M]

Hi,

Even I have <@Page ... enableViewState="False"> on top of the page, still
my page result has this line in html source:

<input type="hidden" name="__VIEWSTATE"
value="dDwtNDA5MjAwODMzOzs+oEzHP8LaGy6LbKZFvbULn4iCHX8=" />


How can I completely disable ViewState ?

Thanks,
Alan

 

[Steven Cheng[MSFT]]

Hi Alan,

As for the "__VIEWSTATE" hidden field, generally it is used to store the
ViewState of the Page(contains the datas need to persist between post
backs). And in addition to those datas, the "__VIEWSTATE" is also used to
store some internal information that will be used by asp.net. That's why
when we disable the ViewState of the page, the "__VIEWSTATE" hidden field
still exists. And there are also some former threads in the newsgroup
discussing on this problem and some has provide some workarounds such as
not using the serverside form or remove the hidden field at clentside ...:
Here are some of them:

http://groups.google.com/groups?hl=zh-CN&lr=&ie=UTF-8&threadm=O72wzOjoDHA.96
4%40TK2MSFTNGP10.phx.gbl&rnum=6&prev=/groups%3Fq%3Dasp.net%2Bremove%2B__view
state%26ie%3DUTF-8%26hl%3Dzh-CN

http://groups.google.com/groups?hl=zh-CN&lr=&ie=UTF-8&threadm=O5eNkK3#DHA.
2336%40TK2MSFTNGP11.phx.gbl&rnum=11&prev=/groups%3Fq%3Dasp.net%2Bremove%2B__
viewstate%26hl%3Dzh-CN%26lr%3D%26ie%3DUTF-8%26start%3D10%26sa%3DN

And below are some further tech articles which may also help on
understanding ViewState:

#ViewState: All You Wanted to Know
http://aspalliance.com/135

#Understanding ASP.NET View State
http://msdn.microsoft.com/library/en-us/dnaspp/html/viewstate.asp?frame=true

Thanks.

Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx

 

[A.M]

Thank you for reply,
My concern about __VIEWSTATE is it can be serious security threat down the
road.
Hackers can find a way to send a big, problematic contents to __VIEWSTATE.
How can I secure __VIEWSTATE? I alread this in my web.config but I am not
sure is enough or not:
<pages validateRequest="true" enableViewStateMac="true" >

Thanks
Alan

 

[Steven Cheng[MSFT]]

Hi Alan,

Thanks for your followup. Yes, since the ViewState is stored in page as
Base64 string by default, it'll be easy to decode and parse it. But there
are also some means to protect it from being changed by others. The "
EnableViewStateMac " property will help to hash the ViewState output via
some certain hashing algorithm which can be set in web.config.

Also, the ViewState's serialize class LosFormatter provide limited
encryption support though we don't recommend that put sensitive datas in
ViewState . For detailed description on this, you can refer to the "View
State and Security Implications" section in the following tech article:

#Understanding ASP.NET View State
http://msdn.microsoft.com/library/en-us/dnaspp/html/viewstate.asp?frame=true
#viewstate_topic12

Thanks.


Regards,

Steven Cheng
Microsoft Online Support

Get Secure! www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)

Get Preview at ASP.NET whidbey
http://msdn.microsoft.com/asp.net/whidbey/default.aspx