ViewState: Encrypted or Encoded?

Posted by on October 20, 2009

One of the many ways to maintain state within an ASP.Net application is to use the ViewState. ViewState is sent to the client embedded in the HTML response. The ViewState can be found by viewing the page source and looking for the hidden __VIEWSTATE tag (seen below).

<input type=”hidden” name=”__VIEWSTATE” id=”__VIEWSTATE”

value=”/wEPDwUJNzgzNDMwNTMzDxYCHglGaXJzdE5hbWUFBUphbWVzZGTh6rDFbP6RwQU6igzX8

vn5IrEPyQ==” />

Looking at the ViewState above is misleading to most developers. The value looks encrypted, leading developers to think that it is secure.  Unfortunately, the value is not encrypted, but encoded (Base64). When we decode the value it looks like this:

783430533[1]FirstNameJamesdd l :

There tends to be a lot of characters that are not printable, but the key values we are looking for in this example are the “FirstName” property and its value of “James”. This property was set in the code behind below:

ViewState[“FirstName”] = “James”;

This example shows how important it is to consider what data is stored in ViewState. Sensitive data should never be stored in ViewState, and if absolutely required, it should be encrypted with a strong algorithm.

There are a few properties associated with ViewState that are worth learning about:

EnableViewStateMac

ViewStateEncryptionMode

ViewStateUserKey

These properties have great descriptions on MSDN. I encourage you to view the details about them if you are working with ViewState.

Comments

Comments are closed.