• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content


Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Introduction to ASP.Net Viewstate



Introduction to ASP.Net Viewstate by Dhiraj Ranka @ null Mumbai Meet, November, 2010

Introduction to ASP.Net Viewstate by Dhiraj Ranka @ null Mumbai Meet, November, 2010



Total Views
Views on SlideShare
Embed Views



2 Embeds 71

http://null.co.in 70
http://www.slideshare.net 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Introduction to ASP.Net Viewstate Introduction to ASP.Net Viewstate Presentation Transcript

    • Introduction to ASP.NET ViewState
      - By DhirajRanka (NII Consulting)
    • HTTP Protocol
      Stateless 
      Uses cookies, sessions to maintain state
      Where is ViewState in picture?
    • ASP.NET Page life cycle
      verifying file access rights
      resurrecting the user's session state
      (HTTP modules)
    • Page Life Cycle events
    • View State
      persist state across post backs
      store name and value pairs
      “What sort of state needs to be persisted?”
      in instantiation stage, control hierarchy is created
      For example,
      <asp:Labelrunat="server" Font-Name="Verdana" Text="Hello, World!"></asp:Label>
    • The View State Property
      Every control can stores its state
      public string NavigateUrl
      get {
      string text = (string) ViewState["NavigateUrl"];
      if (text != null)
      return text;
      return string.Empty;
      set {
      ViewState["NavigateUrl"] = value;
      whenever a control's property is read, the control's ViewState is consulted
    • Storing Information in the Page's ViewStateProperty
      persist page-specific and user-specific information across postbacks
      Code would look like
      ViewState[keyName] = value
      example - creating a pageable, sortable DataGrid
      sort expression must be persisted across postbacks
    • The Cost of View State
      Nothing comes for free, and view state is no exception
      two performance hits for every request
      In save view state control hierarchy is saved in base-64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated
      extra size to the Web page. Some times for view state-heavy pages can be tens of kilobytes 
    • Enabling/Disabling ViewState
      At control level
      At individual page level
      <%@Page EnableViewState="False" %>
      Page.EnableViewState = false;
      At site/application level (in web.config)
      <pages enableViewState="true">
    • View State and Security Implications
      Its nothing but base-64 encoded string
      Attacker can easily decode it, manipulate and encode back before sending it
    • Prevention
      Tamper proofing
      The ViewStateUserKey Property
    • Tamper Proofing
      Use a machine authentication check, or MAC
      It ensure that the data received by a computer is the same data that it transmitted
      hashing the view state data and appending this hash to the end of the view state
      When post back occurs it checks to ensure that the appended hash matches up with the hashed value
      default hashing algorithm used is SHA1 (MD5)
    • Generic Error
    • Encryption
      To encrypt the view state, set the <machineKey> element's validation attribute in the machine.config file to 3DES
      Can be SHA1, MD5, AES
      the <machineKey> element contains validationKey and decryptionKeyattributes
      validationKeyattribute for MAC
      decryptionKeyattribute for 3DES
      Default values are “AutoGenerate,IsolateApp”
    • Concerns with Encryption
      Previous settings works fine with single web server
      In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption
      Use shared key among all web servers
    • The ViewStateUserKeyProperty
      Must be assigned a string value in initialization stage(Page_Init event)
      User-specific value as username, but can be guessable
      Recommended value is SessionID
      Code would look this (Page_Init event)
      Page.ViewStateUserKey = Session.SessionID;
    • Attacker(Evil Bob) requests a page
      Server salting ViewState hash using attacker’s username(Evil Bob)
      Attacker tricks Normal user(Alice) to request server passing in his view state
      Web server notices that Alice’s ViewStateUserKey(“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown
    • Thank you