aspnet2securityfaq0029

Cancel Edit [WikiEntry.PreviewButtonText] Save
Return to
HomePage
ASPNET2SecurityFAQs

Question: How do I protect my web application's ViewState?

Answer:

ViewState sent between browser and server should be integrity checked with HMACs, which is the default setting. Avoid storing sensitive data in ViewState. If you must store sensitive data in ViewState, encrypt it.
ViewState should be tamper proofed as it is subject to tampering and eavesdropping threats. Also storing sensitive data unencrypted in ViewState makes your application vulnerable.
Here is how you can protect ViewState.
* Protect ViewState with HMACs – Hashed message authentication codes (HMACs) is a tamper-resistant protocol that can be used to protect the ViewState. This feature is enabled by default as the system-wide enableViewStateMAC is set to true in machine.config. You could enable ViewState protection at the page level by setting the EnableViewStateMAC attribute to true as show below
		 <%@Page EnableViewState="true" EnableViewStateMAC="true" %>
* Encrypt ViewState if it contains sensitive data - Avoid storing sensitive data in ViewState. If you must store sensitive data in ViewState, encrypt it.
* To enable encryption of ViewState, you must use one of the following configurations.
		 <%@Page viewStateEncryptionMode="Auto" ... /%>
		 <%@Page viewStateEncryptionMode="Always" ... /%>
With viewStateEncryptionMode set to Auto, the page is only encrypted if a control has specifically asked for it by calling the Page.RegisterRequiresViewStateEncryption method to request encryption. If it set to Always, this forces encryption even if a control does not request it.
* Add the following decryption attribute to the <machineKey> element in either Web.config or Machine.config.
		 <system.web>
		     <machineKey decryptionKey="AutoGenerate,IsolateApps"  decryption='3DES' ... />
		 </system.web>
* If you use ViewState HMACs or encryption, and you deploy your application in a Web farm, you must ensure that the configuration files on each server share hashing and encryption keys.

More Information

For more information on securing ViewState, see “How To: Configure Machine Key in ASP.NET 2.0” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000007.asp
For more information on configuring MachineKey settings, see “How To: Configure MachineKey in ASP.NET 2.0” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000007.asp

Return to
HomePage
ASPNET2SecurityFAQs
Cancel Edit [WikiEntry.PreviewButtonText] Save
Microsoft Communities