encryptviewstatecode2

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to HomePage


Encrypting ViewState (VB.NET)


Applies to

* ASP.NET 2.0
* VB.NET

Summary

The purpose of this code sample is to demonstrate the ability to encrypt the client-side session state (ViewState). By default the ViewState provides message integrity through a built-in MAC, however encryption is an optional configuration setting which may be enabled.


Objectives

* Provide confidentiality of ViewState client-side session data by encrypting data contained within the ViewState object (particularly for those cases where viewstate contains internal details that should be protected so a user may not be able to learn specifics about the internal logic or data structures).


Scenarios

* Application off-loads session management to clients, encryption of View State prevents application data from being exposed to web site users who decode the value, and further mitigates risk of storage in an unencrypted form (e.g. Browser Cache)
* Application stores sensitive information such as application internals (e.g. database objects, identifiers, or authorization details) in View State not intended for viewing through client Web UI Controls or filtered by the server upon further processing.


Solution Example

The default ViewState encryption mode in the .NET framework 2.0 is set to auto, meaning that so long as a control requests encryption of the ViewState object it will be encrypted. The ViewStateEncryptionMode and EnableViewStateMac settings below are the default behavior and shown for informational purposes only.

(e.g. <%@ Page Language="VB" ViewStateEncryptionMode="Auto" EnableViewStateMAC="true" %>)

		    Protected Sub Page_Load(ByVal sender As Object, [ByVal] e As [EventArgs)]
		        [Page.RegisterRequiresViewStateEncryption()]
		        ViewState("secret") = "some sensitive information we wish to protect"
		    End Sub

Problem Example

The following example demonstrates cleartext data stored within the ViewState object without encryption. See test case for further details:

		    Protected Sub Page_Load(ByVal sender As Object, [ByVal] e As [EventArgs)]
		        ViewState("secret") = "some sensitive information we wish to protect"
		    End Sub

* In the event that sensitive data is stored in the ViewState object it is vulnerable to information disclosure by a web-site user. The viewState is stored within the HTML source as a hidden parameter and may simply be Base64 decoded.
* Application internals and logic may be exposed to a web-site user who decodes the ViewState parameter.

Test Case

Decoding the Base64 value in our problem example, reveals potentially sensitive information:

Problem Example

<input type="hidden" name="_VIEWSTATE" id="_VIEWSTATE" 
		  	value="/wEPDwUJNzgzNDMwNTMzDxYCHgZzZWNyZXQFLXNvbWUgc2Vuc2l0aXZlIGluZm9ybWF0aW9uIHdlIHdpc2ggdG8gcHJvdGVjdGRk/D+Ejemia+ssVPj/D8lfGFO7z6g=" />

The value: /wEPDwUJNzgzNDMwNTMzDxYCHgZzZWNyZXQFLXNvbWUgc2Vuc2l0aXZlIGluZm9ybWF0aW9uIHdlIHdpc2ggdG8g cHJvdGVjdGRk/DEjemiassVPj/D8lfGFO7z6g=

Contains:

ff 01 0f 0f 05 09 37 38 33 34 33 30 35 33 33 0f .... ..78 3430 533.
16 02 1e 06 73 65 63 72 65 74 05 2d 73 6f 6d 65 .... secr et.- some
20 73 65 6e 73 69 74 69 76 65 20 69 6e 66 6f 72 sen siti ve i nfor
6d 61 74 69 6f 6e 20 77 65 20 77 69 73 68 20 74 mati on w e wi sh t
6f 20 70 72 6f 74 65 63 74 64 64 fc 3f 84 3f e9 o pr otec tdd. ?.?.
a2 6b eb 2c 54 f8 ff 0f c9 5f 18 53 bb cf a8 .k., T... ._.S ...

Solution Example
<input type="hidden" name="_VIEWSTATE" id="_VIEWSTATE" 
		  	value="XEqVgkIRKsuTZq+5LgNeGFAbDKGhBiO6ctuLmnJ2sFzlGsJste6CFJZb/vWojG3SrXF8H3jODKvB2KJgtOQ1LeSGppXnzhB2ToaN+KuzwMI=" />

The value: XEqVgkIRKsuTZq5LgNeGFAbDKGhBiO6ctuLmnJ2sFzlGsJste6CFJZb/vWojG3SrXF8H3jODKvB2KJgtOQ1LeSGppXnzhB2ToaNKuzwMI=

Contains:

5c 4a 95 82 42 11 2a cb 93 66 af b9 2e 03 5e 18 \J.. B.*. .f.. ..^.
50 1b 0c a1 a1 06 23 ba 72 db 8b 9a 72 76 b0 5c P... ..#. r... rv.\
e5 1a c2 6c b5 ee 82 14 96 5b fe f5 a8 8c 6d d2 ...l .... .[.. ..m.
ad 71 7c 1f 78 ce 0c ab c1 d8 a2 60 b4 e4 35 2d .q|. x... ...` ..5-
e4 86 a6 95 e7 ce 10 76 4e 86 3f f8 ab b3 c0 c2 .... ...v N.?. ....



Expected Result

Once ViewState encryption has been enabled it is possible to validate the settings by attempting to Base64 decode the contents of the __VIEWSTATE parameter, looking for plaintext strings.

Additionally, an encrypted ViewState configuration embeds the following hidden request parameter in the
resulting pages:

<input type="hidden" name="_VIEWSTATEENCRYPTED" id="_VIEWSTATEENCRYPTED" value="" />





More Information

Due to performance impact of encrypting session data, this example demonstrates encryption for a page's viewstate any time the Page.RegisterRequiresViewStateEncryption() method is called. Alternatively, a developer could modify the ASPX to contain the following ViewStateEncryptionMode:

(e.g. <%@ Page Language="VB" ViewStateEncryptionMode="Auto" EnableViewStateMAC="true" %>)

Care should be taken to account for additional performance impact of encrypting ViewState and should be carefully weighed with alternatively using the server-side session object for any potentially sensitive information attributed to a user session.


Additional Resources

* How To Configure the Machine Key in ASP.NET 2.0: http://channel9.msdn.com/wiki/default.aspx/Channel9.HowToConfigureTheMachineKeyInASPNET2

Attributes

* Applies To: .NET Framework 2.0, VB
* Category: Session Management
* Author: George Gal



Return to HomePage
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities