During a discussion about security, a developer on my team asked if there was a way to tell if viewstate has been tampered with. I'm embarrassed to say that I didnt know the answer. I told him I would find out, but thought I would give someone on here a chance to answer first. I know there is some automatic validation, but is there a way to do it manually if event validation is not enabled?
views:
361answers:
3To be more specific, you can enable EnableViewStateMac on a page by page basis, or in the web.config.
Scott Hanselman
2008-09-16 04:01:51
Good to know, Scott!
Kilhoffer
2008-09-17 13:26:04
A:
You might be able to do it manually, but you'd just be implementing the same algorithm that's already there for you. It's generally a bad idea to disable the ViewState validation on a page.
Eric Z Beard
2008-09-16 02:11:05
+2
A:
ViewState by default is MIME encoded and hashed with a MAC key (either from the machine or from the web.config file), which helps prevent tampering (i.e. decoding blows up). You can also encrypt and compress ViewState if you like for further protection and less overhead, respectively. See MS ViewState and CodeProject.com
Steven A. Lowe
2008-09-16 02:21:37