Your SlideShare is downloading. ×
Introduction to ASP.Net Viewstate
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Introduction to ASP.Net Viewstate

5,320
views

Published on

Introduction to ASP.Net Viewstate by Dhiraj Ranka @ null Mumbai Meet, November, 2010

Introduction to ASP.Net Viewstate by Dhiraj Ranka @ null Mumbai Meet, November, 2010

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
5,320
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
61
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Introduction to ASP.NET ViewState - By Dhiraj Ranka (NII Consulting)
  • 2. HTTP Protocol • Stateless  • Uses cookies, sessions to maintain state • Where is ViewState in picture?
  • 3. ASP.NET Page life cycle • verifying file access rights • resurrecting the user's session state (HTTP modules)
  • 4. Page Life Cycle events
  • 5. View State • persist state across post backs • store name and value pairs • “What sort of state needs to be persisted?” • in instantiation stage, control hierarchy is created • For example, <asp:Label runat="server" Font-Name="Verdana" Text="Hello, World!"></asp:Label>
  • 6. The View State Property • Every control can stores its state • Example public string NavigateUrl { get { string text = (string) ViewState["NavigateUrl"]; if (text != null) return text; else return string.Empty; } set { ViewState["NavigateUrl"] = value; } } • whenever a control's property is read, the control's ViewState is consulted
  • 7. Storing Information in the Page's ViewState Property • persist page-specific and user-specific information across postbacks • Code would look like – ViewState[keyName] = value • example - creating a pageable, sortable DataGrid • sort expression must be persisted across postbacks
  • 8. The Cost of View State • Nothing comes for free, and view state is no exception • two performance hits for every request – In save view state control hierarchy is saved in base- 64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated – extra size to the Web page. Some times for view state- heavy pages can be tens of kilobytes 
  • 9. Enabling/Disabling ViewState • At control level – <asp:Label EnableViewState=“false”…></asp:Label> • At individual page level – <%@Page EnableViewState="False" %> – Page.EnableViewState = false; • At site/application level (in web.config) – <pages enableViewState="true">
  • 10. View State and Security Implications • Its nothing but base-64 encoded string • Attacker can easily decode it, manipulate and encode back before sending it
  • 11. Prevention • Tamper proofing • Encryption • The ViewStateUserKey Property
  • 12. Tamper Proofing • Use a machine authentication check, or MAC • It ensure that the data received by a computer is the same data that it transmitted • hashing the view state data and appending this hash to the end of the view state • When post back occurs it checks to ensure that the appended hash matches up with the hashed value • default hashing algorithm used is SHA1 (MD5)
  • 13. Generic Error
  • 14. Encryption • To encrypt the view state, set the <machineKey> element's validation attribute in the machine.config file to 3DES – Can be SHA1, MD5, AES • the <machineKey> element contains validationKey and decryptionKey attributes • validationKey attribute for MAC • decryptionKey attribute for 3DES • Default values are “AutoGenerate,IsolateApp”
  • 15. Concerns with Encryption • Previous settings works fine with single web server • In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption • Use shared key among all web servers
  • 16. The ViewStateUserKey Property • Must be assigned a string value in initialization stage(Page_Init event) • User-specific value as username, but can be guessable • Recommended value is SessionID • Code would look this (Page_Init event) – Page.ViewStateUserKey = Session.SessionID;
  • 17. • Attacker(Evil Bob) requests a page • Server salting ViewState hash using attacker’s username(Evil Bob) • Attacker tricks Normal user(Alice) to request server passing in his view state • Web server notices that Alice’s ViewStateUserKey(“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown
  • 18. Thank you

×