How To: Encrypt the ViewState in ASP.NET#

Sometimes its the basic things that we tend to forget. It's true. One example is encrypting the ViewState. Someone asked me this question today and I had to admit that I wasn't able to answer on top of my head. Whats funny is that I've been doing it all along but never told myself to remember how.

Anyhow, lets go back to the topic on how to encrypt the ViewState in ASP.NET.

Prior to .NET 2.0 the way you would do this is via the machineKey element validation attribute. In .NET 2.0 onwards Microsoft provided us with an option to specify ViewState encryption in the page level or web.config level via the ViewStateEncryptionMode attribute.

ViewStateEncryptionMode has three enumeration values that you could use defending on what you need. They are Auto, Never and Always. ViewStateEncryptionMode.Auto means that the page will be encrypted if a control request for encryption. By default the value for ViewStateEncryptionMode is set to Auto. ViewStateEncryptionMode.Never means that ASP.NET will not encrypt the ViewState on your page even if a control request for it. This is a good bypassing mechanism if and only if you know that the page does not need to have ViewState encryption on it. ViewStateEncryptionMode.Always on the otherhand will encrypt your page all the time. A good practice for pages with sensitive information is to always set this ViewStateEncryptionMode to Always as you don't want anybody compromising your ViewState.

To enable ViewState encryption in the page all you need to do is specify the value for ViewStateEncryptionMode at the Page directive

<%@Page ViewStateEncryptionMode="Always" %>

To enable ViewState encryption via web.config to apply to the whole application

<configuration>
   <system.web>
      <pages ViewStateEncryptionMode="Always" />
   </system.web>
</configuration>

One thing to remember though is that you can't set ViewStateEncryptionMode via code

To request for ViewState encryption inside a control all you need to do is call RegisterViewStateEcryption() method from the Page class

protected override void OnInit(EventArgs e)
{
    base.OnInit(e);
    if(Page != null)
    {
        Page.RegisterRequiresViewStateEncryption();
    }
}

Ahhh, such reverie. Now I need to remember this for future use (or questions). Cheers!

.NET | ASP.NET | Tutorial
Tuesday, May 04, 2010 10:40:43 PM (GMT Daylight Time, UTC+01:00) #    Comments [0]  | 

 

All content © 2010, Keith Rull
On this page
How To: Encrypt the ViewState in ASP.NET
This site
Syndicate
Calendar
<May 2010>
SunMonTueWedThuFriSat
2526272829301
2345678
9101112131415
16171819202122
23242526272829
303112345
Archives
 Full Archives By Category
June, 2010 (3)
May, 2010 (4)
April, 2010 (1)
March, 2010 (1)
January, 2010 (1)
December, 2009 (1)
November, 2009 (0)
March, 2009 (4)
February, 2009 (2)
January, 2009 (1)
November, 2008 (3)
October, 2008 (3)
September, 2008 (8)
August, 2008 (4)
July, 2008 (2)
June, 2008 (8)
April, 2008 (4)
March, 2008 (8)
February, 2008 (10)
January, 2008 (9)
December, 2007 (10)
November, 2007 (23)
October, 2007 (3)
September, 2007 (5)
August, 2007 (6)
July, 2007 (1)
June, 2007 (2)
May, 2007 (10)
April, 2007 (2)
March, 2007 (3)
February, 2007 (8)
January, 2007 (5)
December, 2006 (2)
October, 2006 (5)
September, 2006 (7)
August, 2006 (4)
June, 2006 (4)
May, 2006 (7)
April, 2006 (6)
March, 2006 (7)
February, 2006 (14)
January, 2006 (9)
December, 2005 (7)
November, 2005 (1)
October, 2005 (4)
September, 2005 (5)
August, 2005 (4)
July, 2005 (10)
June, 2005 (8)
May, 2005 (6)
April, 2005 (1)
March, 2005 (13)
Sitemap
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Blogroll OPML
[Feed] Ben Sheirman
[Feed] Achim Oellers
[Feed] Andrew Sutton
[Feed] Bart DePetrillo
[Feed] Beatriz Costa
[Feed] Chris Anderson
[Feed] Clemens Vasters
[Feed] Dan Appleman
[Feed] Dave Encosia
[Feed] Dave McCarter
[Feed] Frans Bouma
[Feed] Fritz Onion
[Feed] Harry Pierson
[Feed] Jason Salas
[Feed] Jon Galloway
[Feed] Jonathan Cogley
[Feed] Jörg Freiberger
[Feed] Josh Smith
[Feed] Joshua Flanagan
[Feed] Kate Gregory
[Feed] Kathleen Dollard
[Feed] Mark Wagner
[Feed] Mitch Denney
[Feed] Mohammad Azam
[Feed] Omar Shahine
[Feed] Rod Trent
[Feed] Ryan Farley
[Feed] Sacha Barber
[Feed] Sahil Malik
[Feed] Sam Gentile
[Feed] Scott Hanselman
[Feed] Scott Koon
[Feed] Scott Wiltamuth
[Feed] Stephen Forte
[Feed] Tom Mertens
[Feed] Tomas Restrepo
[Feed] Zachary Hunter
Disclaimer

Powered by: newtelligence dasBlog 2.3.9074.18820

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

Send mail to the author(s) E-mail

Theme design by Jelle Druyts


Pick a theme: