How EnableViewStateMAC Makes ViewState Secure ?

The ASP.NET ViewState is a client side state management mechanism. The ViewState is stored in a hidden field with an ID __VIEWSTATE. Typically, stored ViewState information looks like:

image

ViewState value looks likes an encrypted string. This is nothing but a Base64 encoded string, and is not an encrypted string. So it can be easily decoded.

The main reasons for using Base64 encoding are as follows:

  1. Base64 makes a string suitable for HTTP transfers
  2. It makes it a little harder to read

But people often get confused that this is an encrypted string.

Let us try to decode the string using ViewState Decoder (a nice tool created by Fritz Onion).

image

After decoding the string, we can see the exact data that is stored inside the ViewState. 

You can write a few lines of code to decode the text and you will get the actual View State information.

image

By default, ViewState is serialized into a Base-64 encoded string. On postback, the ViewState information is loaded and reapplied to the persisted state of the control in the control hierarchy.

You can make sure that the ViewState information is tamper-proof by using “hash codes”. You can do this by adding EnableViewStateMAC=true in your page directive. MAC stands for “Message Authentication Code”.

image

When we use EnableViewStateMac="True", during ViewState save, ASP.NET internally uses a hash code. This hash code is a cryptographically strong checksum. This is added with the ViewState content and stored in a hidden filed. During postback, the checksum data is verified again by ASP.NET. If there is a mismatch, the postback will be rejected.

image

 

Original Post :  How to make ViewState secure in ASP.NET ?

Abhijit Jana

Abhijit runs the Daily .NET Tips. He started this site with a vision to have a single knowledge base of .NET tips and tricks and share post that can quickly help any developers . He is a Former Microsoft ASP.NET MVP, CodeProject MVP, Mentor, Speaker, Author, Technology Evangelist and presently working as a .NET Consultant. He blogs at http://abhijitjana.net , you can follow him @AbhijitJana . He is the author of book Kinect for Windows SDK Programming Guide.

2 Comments to “How EnableViewStateMAC Makes ViewState Secure ?”

Comments are closed.