Varad, The .NET Guy!

Exploring the excitement of Microsoft .NET and much more..

ASP.NET View State Security

ViewState is not formatted as clear text, folks sometimes assume that ViewState is encrypted-it's not. Instead, ViewState is merely base64-encoded to ensure that values are not altered during a roundtrip, regardless of the response/request encoding used by the application. So if you wish to make ViewState more secured there are ways to do that also.

There are two levels of ViewState security you may wish to add to your application:

Tamper-proofing
Encryption

Tamper-Proofing

A hashcode will not secure the actual data within the ViewState field, but it will greatly reduce the likelihood of someone tampering with ViewState to try to spoof your application, that is, posting back values that your application would normally prevent a user from inputting.

You can instruct ASP.NET to append a hashcode to the ViewState field by setting the EnableViewStateMAC attribute:

<%@Page EnableViewStateMAC=true %>

EnableViewStateMAC can be set at the page or application level. Upon postback, ASP.NET will generate a hashcode for the ViewState data and compare it to the hashcode store in the posted value. If they don't match, the ViewState data will be discarded and the controls will revert to their original settings.

By default, ASP.NET generates the ViewState hashcode using the SHA1 algorithm. Alternatively, you can select the MD5 algorithm by setting <machineKey> in the machine.config file as follows:

<machineKey validation="MD5" />

Encryption is the otherway of securing ViewState.

You can use encryption to protect the actual data values within the ViewState field. First, you must set EnableViewStatMAC="true". Then, set the machineKey validation type to 3DES. This instructs ASP.NET to encrypt the ViewState value using the Triple DES symmetric encryption algorithm.

<machineKey validation="3DES" />

ViewState Security on a Web Farm

By default, ASP.NET creates a random validation key and stores it in each server's Local Security Authority (LSA). In order to validate a ViewState field created on another server, the validationKey for both servers must be set to the same value. If you secure ViewState by any of the means that we discussed earlier for an application running in a Web Farm configuration, you will need to provide a single, shared validation key for all of the servers.

The validation key is a string of 20 to 64 random, cryptographically-strong bytes, represented as 40 to 128 hexadecimal characters. Longer is more secure, so a 128-character key is recommended for machines that support it. For example:

<machineKey validation="SHA1" validationKey="
F3690E7A3143C185AB1089616A8B4D81FD55DD7A69EEAA3B32A6AE813ECEECD28DEA66A
23BEE42193729BD48595EBAFE2C2E765BE77E006330BC3B1392D7C73F" />

Posted: Feb 04 2005, 10:18 AM by Varad | with 1 comment(s)
Filed under:

Comments

Jim C said:

Interesting ,thanks
# February 4, 2005 1:24 PM