Skip to main content

Callback State Encryption

  • 2 minutes to read

Advanced ASP.NET MVC extensions (such as the DevExpress GridViewExtension and SchedulerExtension) use callbacks to update render state. For instance, our MVC GridView extension sends callbacks to filter, sort, or edit data. Callback states are stored in an encoded hashed format within hidden fields.

To address security-related issues, the server uses MachineKey to encrypt callback state before passing it to the client. The same algorithms and key values encrypt ASP.NET forms-based authentication, view state, and callbacks for DevExpress MVC extensions.

Tip

To increase encryption strength, specify the Name property of each DevExpress MVC extension.

DevExpress MVC Extensions that Encode Callback States

Generate Encryption Keys

Internet Information Services (IIS) generates a new encryption key each time the Application Pool recycles. This key generation process works fine for applications deployed on a single server, but can cause errors for applications hosted in a web farm.

In the configuration file, assign a key value to the machineKey element’s decryptionKey attribute to disable automatic key generation:

<machineKey 
    validationKey="your-validation-key" 
    decryptionKey="your-decryption-key" 
/>

Refer to the following help topic for more information: IIS 7 Tip # 10 You can generate machine keys from the IIS manager.

Disable Encryption

Important

For security-related reasons, you should not disable callback state encryption.

Disable the ProtectControlState setting to turn off callback state encryption for all DevExpress MVC extensions:

<configuration>
    <devExpress>
        <settings protectControlState="false" />
        <!-- ... -->
    </devExpress>
</configuration>