views:

424

answers:

5

What is ViewState? How is it encoded? Is it encrypted? Who uses ViewState?

+2  A: 

It is a hidden field generated by ASP.NET that contains information about all the controls on the page. Ideally the view state should not need to be encrypted, as it should never contain sensitive information. To indicate that the view state should be encrypted, set the <machineKey> element's validation attribute in the machine.config file to 3DES. There's a nice article on MSDN describing ViewState.

Darin Dimitrov
+1  A: 

ViewState is one technique asp.net uses to enable the postback model. The state for all controls that are marked runat="server" is stored in this base64 string.

This pluralsite article explains in more depth

Sky Sanders
+2  A: 

View state is a kind of hash map (or at least you can think of it that way) that ASP.NET uses to store all the temporary information about a page - like what options are currently chosen in each select box, what values are there in each text box, which panel are open, etc. You can also use it to store any arbitrary information.

The entire map is serialized and encrypted and kept in a hidden variable thats posted back to the server whenever you take any action on the page that required a server round trip. This is how you can access the values on the controls from the server code. If you change any value in the server code, that change is made in the view state and sent back to the browser.

Just be careful about how much information you store in the view state, though... it can quickly become bloated and slow to transfer each time to the server and back.

As for encryption, I dont' know how strong it is, but its sure not easily human readable. I wouldn't use it for sensitive information, though.

Sudhir Jonathan
By default it's not encrypted... it can be, as another posted, Darin, stated. I thought it was too for a long time! Try copying the _VIEWSTATE hidden field into a base64 decoder and you'll see the content.
Joel
Ah, nice point... never thought of that.
Sudhir Jonathan
+1  A: 

ViewState's not encrypted as default, using base64 encoding. You may want to use viewstate if your page has an action with controls.

cem
+3  A: 

If you really want to understand ViewState (not just what it is used for), then you may want to read this fabulous article (which I, unfortunately, am not the author of :-). Beware, though, it is a bit dated, but still a very good read.

Rune