Your SlideShare is downloading. ×
0
Introduction to ASP.NET ViewState
- By Dhiraj Ranka (NII Consulting)
HTTP Protocol
• Stateless 
• Uses cookies, sessions to maintain state
• Where is ViewState in picture?
ASP.NET Page life cycle
• verifying file access rights
• resurrecting the user's session state
(HTTP modules)
Page Life Cycle events
View State
• persist state across post backs
• store name and value pairs
• “What sort of state needs to be persisted?”
• ...
The View State Property
• Every control can stores its state
• Example
public string NavigateUrl
{
get {
string text = (st...
Storing Information in the Page's
ViewState Property
• persist page-specific and user-specific
information across postback...
The Cost of View State
• Nothing comes for free, and view state is no
exception
• two performance hits for every request
–...
Enabling/Disabling ViewState
• At control level
– <asp:Label EnableViewState=“false”…></asp:Label>
• At individual page le...
View State and Security Implications
• Its nothing but base-64 encoded string
• Attacker can easily decode it, manipulate ...
Prevention
• Tamper proofing
• Encryption
• The ViewStateUserKey Property
Tamper Proofing
• Use a machine authentication check, or MAC
• It ensure that the data received by a computer
is the same ...
Generic Error
Encryption
• To encrypt the view state, set the
<machineKey> element's validation attribute
in the machine.config file to ...
Concerns with Encryption
• Previous settings works fine with single web
server
• In web farm, it's vital that all Web serv...
The ViewStateUserKey Property
• Must be assigned a string value in initialization
stage(Page_Init event)
• User-specific v...
• Attacker(Evil Bob) requests a page
• Server salting ViewState hash
using attacker’s username(Evil
Bob)
• Attacker tricks...
Thank you
Upcoming SlideShare
Loading in...5
×

Introduction to ASP.Net Viewstate

5,345

Published on

Introduction to ASP.Net Viewstate by Dhiraj Ranka @ null Mumbai Meet, November, 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
5,345
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
63
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Introduction to ASP.Net Viewstate"

  1. 1. Introduction to ASP.NET ViewState - By Dhiraj Ranka (NII Consulting)
  2. 2. HTTP Protocol • Stateless  • Uses cookies, sessions to maintain state • Where is ViewState in picture?
  3. 3. ASP.NET Page life cycle • verifying file access rights • resurrecting the user's session state (HTTP modules)
  4. 4. Page Life Cycle events
  5. 5. View State • persist state across post backs • store name and value pairs • “What sort of state needs to be persisted?” • in instantiation stage, control hierarchy is created • For example, <asp:Label runat="server" Font-Name="Verdana" Text="Hello, World!"></asp:Label>
  6. 6. The View State Property • Every control can stores its state • Example public string NavigateUrl { get { string text = (string) ViewState["NavigateUrl"]; if (text != null) return text; else return string.Empty; } set { ViewState["NavigateUrl"] = value; } } • whenever a control's property is read, the control's ViewState is consulted
  7. 7. Storing Information in the Page's ViewState Property • persist page-specific and user-specific information across postbacks • Code would look like – ViewState[keyName] = value • example - creating a pageable, sortable DataGrid • sort expression must be persisted across postbacks
  8. 8. The Cost of View State • Nothing comes for free, and view state is no exception • two performance hits for every request – In save view state control hierarchy is saved in base- 64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated – extra size to the Web page. Some times for view state- heavy pages can be tens of kilobytes 
  9. 9. Enabling/Disabling ViewState • At control level – <asp:Label EnableViewState=“false”…></asp:Label> • At individual page level – <%@Page EnableViewState="False" %> – Page.EnableViewState = false; • At site/application level (in web.config) – <pages enableViewState="true">
  10. 10. View State and Security Implications • Its nothing but base-64 encoded string • Attacker can easily decode it, manipulate and encode back before sending it
  11. 11. Prevention • Tamper proofing • Encryption • The ViewStateUserKey Property
  12. 12. Tamper Proofing • Use a machine authentication check, or MAC • It ensure that the data received by a computer is the same data that it transmitted • hashing the view state data and appending this hash to the end of the view state • When post back occurs it checks to ensure that the appended hash matches up with the hashed value • default hashing algorithm used is SHA1 (MD5)
  13. 13. Generic Error
  14. 14. Encryption • To encrypt the view state, set the <machineKey> element's validation attribute in the machine.config file to 3DES – Can be SHA1, MD5, AES • the <machineKey> element contains validationKey and decryptionKey attributes • validationKey attribute for MAC • decryptionKey attribute for 3DES • Default values are “AutoGenerate,IsolateApp”
  15. 15. Concerns with Encryption • Previous settings works fine with single web server • In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption • Use shared key among all web servers
  16. 16. The ViewStateUserKey Property • Must be assigned a string value in initialization stage(Page_Init event) • User-specific value as username, but can be guessable • Recommended value is SessionID • Code would look this (Page_Init event) – Page.ViewStateUserKey = Session.SessionID;
  17. 17. • Attacker(Evil Bob) requests a page • Server salting ViewState hash using attacker’s username(Evil Bob) • Attacker tricks Normal user(Alice) to request server passing in his view state • Web server notices that Alice’s ViewStateUserKey(“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown
  18. 18. Thank you
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×