View State Encryption
- 2 minutes to read
The ASP.NET framework uses view state to persist page and control values between postbacks. When the framework renders HTML markup for a page, ASP.NET serializes the current state of the page and non-default control values into base64-encoded strings. The page stores these strings in hidden fields.
To prevent threat actors from viewing/modifying view state data, you should follow industry-accepted best practices.
Encrypt View State
Like other UI controls, DevExpress ASP.NET Web Forms controls store non-default property values in the view state. Encrypt view state data if you assign sensitive information (such as a password or an IP address) to a control property.
To encrypt page view state, set the ViewStateEncryptionMode property to Always in the @ Page directive:
To encrypt view state data on all pages, set ViewStateEncryptionMode to Always in the configuration file:
<system.web>
<pages viewStateEncryptionMode="Always" />
</system.web>
Web Farm or Web Garden servers can use different key pairs to encrypt and decrypt view state data. Specify the machineKey element in the Web.config file to set one key pair for all servers in the farm. Refer to the following document for additional information: Web Farm Deployment Considerations.
Check Message Authentication Codes
ASP.NET uses machine authentication code (MAC) keys to generate hashes for view state data. The framework adds a hash to encoded view state data and stores results in a hidden field. During postback, ASP.NET recalculates the hash and compares it to the value stored in the view state. This process ensures that view state data was not modified on the client.
The EnableViewStateMac property determines whether ASP.NET validates message authentication codes in the page view state. For security-related reasons, you should not disable this property.