views:

1684

answers:

2

I have a few questions about when and how viewstate is encrypted in asp.net 3.5. For instance, if I have a machinekey entry in my web.config like: decryptionKey="AutoGenerate,IsolateApps" validation="AES" decryption="Auto" />

Is viewstate encrypted at this point? Or do I need to specify the viewStateEncryptionMode in the page section also?

Also, is it possible to encrypt a formsauthentication cookie, but not encrypt viewstate at the same time?

Thanks for any help.

+3  A: 

The controls on the page can request that encryption be used for the ViewState, but even this request can be overridden by the page setting.

The ViewStateEncryptionMode enumeration has three values: Auto, Always, and Never. The default value is Auto.

ViewStateEncryptionMode.Auto

In this mode, ASP.NET will encrypt the ViewState for a page if any control on the page requests it. Note that this means all of the ViewState is encrypted, not just the ViewState for the control that requests it. A large part of the performance cost associated with encryption is in the overhead. So encrypting the whole ViewState is faster than doing separate encryption operations if more than one control makes the request.

ViewStateEncryptionMode.Never

As you would expect, in this mode ASP.NET will not encrypt the ViewState, even if the application is set for encryption and controls on the page have requested it. If you know that no data involved in the page needs to be encrypted, then it may be safe to set the mode to Never. However, at this point it is rare for the documentation about a control to disclose what is being saved in ViewState, so you will want to be careful if there is a chance that sensitive data could be exposed.

ViewStateEncryptionMode.Always

In this mode, ASP.NET does not wait for a control in the page to request encryption. ViewState is always encrypted. When working with sensitive data, it is a good practice to utilize encryption.

Source: http://msdn.microsoft.com/en-us/library/aa479501.aspx

Dan Esparza
A: 

For all the questions like this (and my own sanity), I wrote a small utility class which will allow you to persist viewstate not only on postbacks but to other pages as well. It also works perfectly in a web farm situation where any server might serve your page.

It is very easy to integrate to your code.. two lines ... and allows you to use property syntax to save and retrieve variables .. myvar.MemberID = "1234" etc.

It includes, DES encryption (turn on/off per page as needed), and a property to let you know if someone tampered with the URL.

Clean and easy ... enjoy

The blog entry has a link to the full sample code. http://designlunacy.blogspot.com/2009/02/easy-web-state-management.html#links

Karl Kemerait - Underhill, VT

Karl