Wednesday, June 1, 2011

Making ViewState Secure

One of the most common ways to store information is in view state. View State uses hidden
field that ASP.Net automatically inserts in the rendered HTML of a web page. View state
information is stored in a single jumbled string that looks like this:
As this value isn’t formated as clear text, many ASP.Net programmers assume that
their view state data is encrypted. Actually, view state information is simply patched
together in memory and converted to a Base54 string which is a special type of string that
is always acceptable in an HTML document because it does not include any special character.
A clever hacker could reverse-engineer this string and examine your view state data
in a matter of second.
To make your secure data temperproof you have to use encryption enabled. You can turn on
encryption for an individual page using the ViewStateEncryptionMode property of the page