Callback State Encryption
- 2 minutes to read
Advanced ASP.NET MVC extensions (such as the DevExpress GridViewExtension and SchedulerExtension) use callbacks to update render state. For instance, our MVC GridView extension sends callbacks to filter, sort, or edit data. Callback states are stored in an encoded hashed format within hidden fields.
To address security-related issues, the server uses MachineKey to encrypt callback state before passing it to the client. The same algorithms and key values encrypt ASP.NET forms-based authentication, view state, and callbacks for DevExpress MVC extensions.
Tip
To increase encryption strength, specify the Name property of each DevExpress MVC extension.
Generate Encryption Keys
Internet Information Services (IIS) generates a new encryption key each time the Application Pool recycles. This key generation process works fine for applications deployed on a single server, but can cause errors for applications hosted in a web farm.
In the configuration file, assign a key value to the machineKey element’s decryptionKey attribute to disable automatic key generation:
<machineKey
validationKey="your-validation-key"
decryptionKey="your-decryption-key"
/>
Refer to the following help topic for more information: IIS 7 Tip # 10 You can generate machine keys from the IIS manager.
Disable Encryption
Important
For security-related reasons, you should not disable callback state encryption.
Disable the ProtectControlState setting to turn off callback state encryption for all DevExpress MVC extensions:
<configuration>
<devExpress>
<settings protectControlState="false" />
<!-- ... -->
</devExpress>
</configuration>