First of all, what is a ViewState
It is a hidden field generated by ASP.NET that contains information about all the controls on the page. Primarily ViewState
values are shown in the page source. By default, it is Base64
Encoded. If you have a Base64
decoder then it can be easily decoded.
Now, Suppose you want to encrypt the ViewState
value by a different encoding technique, then how will do that ?
<machineKey validation="3DES" />
Write the above code in the web.config
file. The above configuration allows you to make ViewState
value by "Triple DES"
You can also set ViewState
encryption type in configuration level :-
<pages ViewStateEncryptionMode="Always" />
If you want to encrypt the ViewState
at a page level, then
<%@Page ViewStateEncryptionMode="Always" %>
enumeration has three values: Auto
, and Never
. The default value is Auto
Note: Please note that following the above encryption method doesn't guarantee you full security
value can still be decoded, if you know how to do that but the above method will still make it much safer than the default Base64
encoding. Also note that, encrypting the ViewState
information will issue performance cost associated and it will lead to overhead. Ideally the view state should not need to be encrypted, as it should never contain sensitive information.
Thanks and Regards