Callback State Encryption
- 2 minutes to read
Advanced ASP.NET Web Forms UI controls (such as the DevExpress ASPxGridView and ASPxScheduler) use callbacks to update render state. For instance, our Web Forms Grid View control sends callbacks to filter, sort, or edit data. Callback states are stored in an encoded hashed format within hidden fields.
To address security-related issues, the server uses MachineKey to encrypt callback state before passing it to the client. The same algorithms and key values encrypt ASP.NET forms-based authentication, view state, and callbacks for DevExpress controls.
Tip
To increase encryption strength, specify the ID property of each DevExpress control.
Generate Encryption Keys
Internet Information Services (IIS) generates a new encryption key each time the Application Pool recycles. This key generation process works fine for applications deployed on a single server, but can cause errors for applications hosted in a web farm.
In the configuration file, assign a key value to the machineKey element’s decryptionKey attribute to disable automatic key generation:
<machineKey
validationKey="your-validation-key"
decryptionKey="your-decryption-key"
/>
Refer to the following help topic for more information: IIS 7 Tip # 10 You can generate machine keys from the IIS manager.
Disable Encryption
Important
For security-related reasons, you should not disable callback state encryption.
Disable the ProtectControlState setting to turn off callback state encryption for all DevExpress Web Forms UI controls and components:
<configuration>
<devExpress>
<settings protectControlState="false" />
<!-- ... -->
</devExpress>
</configuration>