Using ViewState with Sensitive Data


By now, you’re aware that ASP.NET maintains state between requests in the stateless HTTP protocol. How does this work? The process is actually straightforward once you get a feel for what is happening behind the scenes. To recall the previous state, each control can contribute some ViewState that it needs to have access to when the postback occurs. This ViewState from the page controls is put together into a hidden form field and sent to the client. When the page is posted back to the server, the ViewState is broken up and given back to the controls that asked for it to be saved. When you look at the source of a page in the browser, you’ll see that the ViewState data is contained in a hidden form field that is not as easily readable as you might have expected. This is for two reasons. First, the data is base64-encoded for transmission to and from the client. By simply base64-decoding it, you can easily see the real values. Second, the ViewState data is hashed with a server key in what is referred to as the ViewState MAC. This guards against users modifying the ViewState and posting data back to the servers that differs from what was sent.

Encoding and hashing the ViewState is not equivalent to encrypting the data. Data encryption is computationally expensive and is therefore not the default for ViewState. ASP.NET does provide support for automatically encrypting and decrypting the ViewState. Always make sure that the ViewState MAC is enabled when you are using ViewState. When working with confidential data, be sure that the ViewState MAC is enabled, and set the machineKey validation attribute to 3DES. ASP.NET then automatically encrypts and decrypts the page ViewState, protecting it from prying eyes and from client-side tampering. Of course, using Secure Sockets Layer (SSL) on the page gives an even greater degree of protection against any information being discovered by someone watching data go by.

Code Listing 2-21 is a sample web.config file that sets the enableViewStateMAC key to true, which is the default despite the comment in machine.config that says otherwise. It also sets the option to enable encryption by setting the validation algorithm to Triple DES. Note that setting the validation attribute to 3DES causes encryption. The validation against ViewState tampering is actually controlled by the enableViewStateMac attribute.

Code Listing 2-21: EncryptionWeb.config

start example
 <configuration>
<system.web>
<pages enableViewStateMac="true" />
<machineKey validation="3DES" />
</system.web>
</configuration>
end example

Tip

When deploying in a Web farm without server affinity (meaning that for each request, a client session can be handled by a different server), the validation key must be set explicitly and synchronized between the machines. If the default AutoGenerate setting is used, postbacks handled by a machine other than the one in which the ViewState was generated will not be processed correctly, and the user will get an error.




Microsoft ASP. NET Coding Strategies with the Microsoft ASP. NET Team
Microsoft ASP.NET Coding Strategies with the Microsoft ASP.NET Team (Pro-Developer)
ISBN: 073561900X
EAN: 2147483647
Year: 2005
Pages: 144

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net