ASP.NET 2.0: ViewState Numbers

Published 21 July 05 08:06 AM | despos

Although they still use it as if nothing was the matter, some people are a bit worried about viewstate and security. My personal opinion is that you should be concerned about the view state, but not for the potential security holes it might open in your code—unless you love shooting yourself in the foot. You should be more concerned about the overall performance and responsiveness of the page. Especially for feature-rich pages that make use of plenty of controls, the view state can reach a considerable size, measured in KB of data. Such an extra burden taxes all requests, in download and upload, and ends up being a serious overhead for the application as a whole. Let's review some numbers trying to learn from best practices.

You should endeavour to keep a page size around 30 KB, to the extent that is possible of course. For example, the Google’s home page is less than 4 KB. The home page of ASP.NET counts about 50 KB. The Google’s site is not written with ASP.NET so nothing can be said about the viewstate; but what about the viewstate size of the home of the ASP.NET site? Interestingly enough, that page has only 1 KB of viewstate. On the other hand, this page on the same site (ASP.NET) is longer than 500 KB of which 120 KB is viewstate.


The ideal size for a viewstate is around 7 KB; it is optimal if you can keep it down to 3 KB or so. In any case, the viewstate, no matter its absolute size, should never exceed 30% of the page size. 

PS1: In ASP.NET 2.0, a new serialization format (incorporated in a new formatter class, ObjectStateFormatter), significantly cuts down the size of the viewstate by about 50%. Which is just great! All that you have to do is recompile... 

PS2: All numbers mentioned are based on the size of the pages as of July 20, 2005.

 

Comments

# RichB said on July 21, 2005 05:27 AM:

Trackback: http://blogs.aspadvice.com/rbirkby/archive/2005/07/21/6031.aspx

# Chris said on July 21, 2005 07:39 AM:

You got any more information how to use the new formatter class to reduce the viewstate - google doesnt show up much....

# Freelance Programmer said on July 21, 2005 08:44 AM:

Thanks for the info Dino. Another cool state improvement in ASP.NET 2.0 is controlstate.

# Nikhil Kothari said on July 21, 2005 10:44 AM:

For Chris, and others who are curious, information on the "how" is at http://www.nikhilk.net/ViewStateImprovements.aspx and http://www.nikhilk.net/ViewStateNotes.aspx.

# Rick Strahl said on July 21, 2005 03:49 PM:

Dino, how did you come up with these numbers? :-} It seems to me your optimal viewstate size and usage depends entirely on what you are doing and there's no such thing as a general rule for how big it should or shouldn't be.

IMHO, Viewstate should be avoided at all costs. ControlState's purpose (which I'm sure will be abused just as Viewstate) is what is truly useful for, but few developers (especially control developers) adhere to that motto.

# dominick said on July 21, 2005 06:52 PM:

what (besides the expiration problem) do you think is a security concern when using ViewState?

dominick

# DinoE said on July 22, 2005 04:13 AM:

Unless you shoot in the foot disabling the EnableViewStateMac flag on @Page, the viewstate poses NO security issues. Otherwise, a hacker who gains access to the page could decode the viewstate (there are several examples out there, I think from Nikhil and Fritz too), change some values, re-encode, and post it. Without the MAC on the server, I'm afraid the runtime environment has no way to detect the tampering with. This might be used for sort of one-click attacks.

EnableViewStateMac is enabled by default, though.

# DinoE said on July 22, 2005 04:24 AM:

Rick, that's a good question! The first time I've run across such numbers was through a MS paper, but I can't really remember what exactly. It could have been a conference talk, a whitepaper, a comment, even a chat. Really can't remember. Based on that, I conducted a kind of quick survey on some ASPX pages around.

My results are of course arguable and questionable and certainly have no scientific status. Let's say, the smallest you can keep a page, the best. 30 KB is a reasonable compromise, in the sense that most things can be stuffed in that size. Clearly, if you have 250 items to display your page size can grow up to half a MB as it is the case with the sample page I mentioned from the ASP.NET web site. At that point, it's a design issue and you're totally right saying that size of page and viewstate are mostly app-specific.

Within these boundaries, though, I believe a few guidelines can be outlined. The most important of which is not much that viewstate should be limited to a few KB, but that it should take a minimal percentage of the overall page size. Which percentage? Being the viewstate a helper, I'd say no more than 25% or 30% at the most. But here I'm just throwing numbers using only a bit of common sense...

Consider that with a classic grid in the page, the viewstate takes up about 50% of the page size (even more in ASP.NET 1.x). If you can disable the viewstate altogether, do it. But at least, avoid storing there the avoidable. Long list of countries, for example, write LOTS of stuff in the viewstate. Useless stuff, in this case.

Control state is only useful to control developers, I believe.

# Alex Lowe said on July 26, 2005 02:43 PM:

http://www.asp.net/ControlGallery/default.aspx?Category=7&tabindex=0 will be updated and reduced to 400k in size (total). Oh, and that code that runs that page was written in 2001. =)

# Rob Howard said on July 26, 2005 03:27 PM:

Yeah, I'll plead guilty to writing that page. I believe it was written with the beta of ASP.NET 1.0 :)

# Dino Esposito said on July 28, 2005 03:08 AM:

I'd bet that there are so maaany pages like that around ... (including mine...)

It would be nice to hear the team's voice on the numbers...

# Developer said on August 10, 2005 03:48 AM:

Dino, how were you able to weight the viewState of the page? You said it was like 120KB, how can I know such information?

Thank you,

# DinoE said on August 10, 2005 04:05 AM:

>>how were you able to weight the viewState of the page? You said it was like
>>120KB, how can I know such information?

Open the page, view its source and copy the contents of the viewstate hidden field to Word and count the chars

# vishal said on August 11, 2005 12:28 AM:

ee

#   Comprimiento VIEWSTATE en p??ginas ASP.NET by Javier Romero :: temperamental .NET developer said on June 15, 2007 11:42 AM:

Pingback from    Comprimiento VIEWSTATE en p??ginas ASP.NET by Javier Romero :: temperamental .NET developer

# dgoyani said on August 3, 2007 05:52 AM:

I am facing some serious issues with View State. Production server is throwing view state error because the number is around 128KB. And proxy server is truncating view state content. When the request comes back for processing it throws Invalid_Viewstate_Client_Disconnected exception. I am sure it is because alter in viewstate string. I can't go and rewrite that page however if I can somehow increase allowed size of page content on server, I would get rid of it.

Any guess?

Thanks,

dgoyani

dgoyani@gmail.com

# Work vs. Play said on October 25, 2007 11:57 PM:

This is some stuff I've been meaning to post to the wiki at work because I've had a lot of questions

# Work vs. Play said on October 26, 2007 12:45 AM:

This is some stuff I've been meaning to post to the wiki at work because I've been asked a lot

# problem with button element styling | RSS Reader said on April 25, 2008 01:08 PM:

Pingback from  problem with button element styling | RSS Reader

# High Quality FLASH Template for Just 5$ USD | RSS Reader said on April 25, 2008 01:13 PM:

Pingback from  High Quality FLASH Template for Just 5$ USD | RSS Reader

# Our 1st project together: a site for alternative healing practice | RSS Reader said on April 25, 2008 02:37 PM:

Pingback from  Our 1st project together: a site for alternative healing practice | RSS Reader

Leave a Comment

(required) 
(required) 
(optional)
(required)