Callback State Encryption
- 2 minutes to read
Advanced DevExpress ASP.NET Bootstrap controls (Card View, Grid View, and Scheduler) use callbacks to update render state. For instance, our Bootstrap Grid View control sends callbacks to filter, sort, or edit data. Callback states are stored in an encoded hashed format within hidden fields.
To address security-related issues, the server uses MachineKey to encrypt callback state before passing it to the client. The same algorithms and key values encrypt ASP.NET forms-based authentication, view state, and callbacks for DevExpress ASP.NET Bootstrap controls.
Tip
To increase encryption strength, specify the ID property of each DevExpress ASP.NET Bootstrap control.
Generate Encryption Keys
Internet Information Services (IIS) generates a new encryption key each time the Application Pool recycles. This key generation process works fine for applications deployed on a single server, but can cause errors for applications hosted in a web farm.
In the configuration file, assign a key value to the machineKey element’s decryptionKey attribute to disable automatic key generation:
<machineKey
validationKey="your-validation-key"
decryptionKey="your-decryption-key"
/>
Refer to the following help topic for more information: IIS 7 Tip # 10 You can generate machine keys from the IIS manager.
Disable Encryption
Important
For security-related reasons, you should not disable callback state encryption.
Disable the ProtectControlState setting to turn off callback state encryption for all DevExpress ASP.NET Bootstrap controls:
<configuration>
<devExpress>
<settings protectControlState="false" />
<!-- ... -->
</devExpress>
</configuration>