Skip to main content
All docs
V24.2

Callback State Encryption

  • 2 minutes to read

Advanced ASP.NET Web Forms UI controls (such as the DevExpress ASPxGridView and ASPxScheduler) use callbacks to update render state. For instance, our Web Forms Grid View control sends callbacks to filter, sort, or edit data. Callback states are stored in an encoded hashed format within hidden fields.

To address security-related issues, the server uses MachineKey to encrypt callback state before passing it to the client. The same algorithms and key values encrypt ASP.NET forms-based authentication, view state, and callbacks for DevExpress controls.

Tip

To increase encryption strength, specify the ID property of each DevExpress control.

DevExpress Controls that Encrypt Callback States

Generate Encryption Keys

Internet Information Services (IIS) generates a new encryption key each time the Application Pool recycles. This key generation process works fine for applications deployed on a single server, but can cause errors for applications hosted in a web farm.

In the configuration file, assign a key value to the machineKey element’s decryptionKey attribute to disable automatic key generation:

<machineKey 
    validationKey="your-validation-key" 
    decryptionKey="your-decryption-key" 
/>

Refer to the following help topic for more information: IIS 7 Tip # 10 You can generate machine keys from the IIS manager.

Disable Encryption

Important

For security-related reasons, you should not disable callback state encryption.

Disable the ProtectControlState setting to turn off callback state encryption for all DevExpress Web Forms UI controls and components:

<configuration>
    <devExpress>
        <settings protectControlState="false" />
        <!-- ... -->
    </devExpress>
</configuration>