Encrypt ViewState in ASP.NET 2.0

Akiii
Posted by Akiii under C# category on | Points: 40 | Views : 2702
First of all, what is a ViewState ?

It is a hidden field generated by ASP.NET that contains information about all the controls on the page. Primarily ViewState values are shown in the page source. By default, it is Base64 Encoded. If you have a Base64 decoder then it can be easily decoded.

Now, Suppose you want to encrypt the ViewState value by a different encoding technique, then how will do that ?

<configuration>
<system.web>
<machineKey validation="3DES" />
</system.web>
</configuration>


Write the above code in the web.config file. The above configuration allows you to make ViewState value by "Triple DES" encryption standard.
You can also set ViewState encryption type in configuration level :-

<configuration>
<system.web>
<pages ViewStateEncryptionMode="Always" />
</system.web>
</configuration>


If you want to encrypt the ViewState at a page level, then

<%@Page ViewStateEncryptionMode="Always" %>


The ViewStateEncryptionMode enumeration has three values: Auto , Always , and Never . The default value is Auto .


Note: Please note that following the above encryption method doesn't guarantee you full security. ViewState value can still be decoded, if you know how to do that but the above method will still make it much safer than the default Base64 encoding. Also note that, encrypting the ViewState information will issue performance cost associated and it will lead to overhead. Ideally the view state should not need to be encrypted, as it should never contain sensitive information.


Thanks and Regards
Akiii

Comments or Responses

Posted by: T.saravanan on: 2/5/2012 Level:Silver | Status: [Member] [MVP] | Points: 10
Hi Akiii,

Nice info to the users.
Posted by: Akiii on: 2/5/2012 Level:Bronze | Status: [Member] | Points: 10
Thanks Saravanan, I hope i can contribute more...


Regards
Akiii

Login to post response