Introduction to ASP.Net Viewstate by Dhiraj Ranka @ null Mumbai Meet, November, 2010

1. Introduction to ASP.NET ViewState
- By Dhiraj Ranka (NII Consulting)

2. HTTP Protocol
• Stateless 
• Uses cookies, sessions to maintain state
• Where is ViewState in picture?

3. ASP.NET Page life cycle
• verifying file access rights
• resurrecting the user's session state
(HTTP modules)

4. Page Life Cycle events

5. View State
• persist state across post backs
• store name and value pairs
• “What sort of state needs to be persisted?”
• in instantiation stage, control hierarchy is
created
• For example,
<asp:Label runat="server" Font-Name="Verdana" Text="Hello,
World!"></asp:Label>

6. The View State Property
• Every control can stores its state
• Example
public string NavigateUrl
{
get {
string text = (string) ViewState["NavigateUrl"];
if (text != null)
return text;
else
return string.Empty;
}
set {
ViewState["NavigateUrl"] = value;
}
}
• whenever a control's property is read, the
control's ViewState is consulted

7. Storing Information in the Page's
ViewState Property
• persist page-specific and user-specific
information across postbacks
• Code would look like
– ViewState[keyName] = value
• example - creating a pageable, sortable DataGrid
• sort expression must be persisted across
postbacks

8. The Cost of View State
• Nothing comes for free, and view state is no
exception
• two performance hits for every request
– In save view state control hierarchy is saved in base-
64 encoded string which is emitted in “__VIEWSTATE”
hidden form field and in load view state the same is
decoded and control hierarchy is updated
– extra size to the Web page. Some times for view state-
heavy pages can be tens of kilobytes 

9. Enabling/Disabling ViewState
• At control level
– <asp:Label EnableViewState=“false”…></asp:Label>
• At individual page level
– <%@Page EnableViewState="False" %>
– Page.EnableViewState = false;
• At site/application level (in web.config)
– <pages enableViewState="true">

10. View State and Security Implications
• Its nothing but base-64 encoded string
• Attacker can easily decode it, manipulate and
encode back before sending it

11. Prevention
• Tamper proofing
• Encryption
• The ViewStateUserKey Property

12. Tamper Proofing
• Use a machine authentication check, or MAC
• It ensure that the data received by a computer
is the same data that it transmitted
• hashing the view state data and appending
this hash to the end of the view state
• When post back occurs it checks to ensure
that the appended hash matches up with the
hashed value
• default hashing algorithm used is SHA1 (MD5)

13. Generic Error

14. Encryption
• To encrypt the view state, set the
<machineKey> element's validation attribute
in the machine.config file to 3DES
– Can be SHA1, MD5, AES
• the <machineKey> element contains
validationKey and decryptionKey attributes
• validationKey attribute for MAC
• decryptionKey attribute for 3DES
• Default values are “AutoGenerate,IsolateApp”

15. Concerns with Encryption
• Previous settings works fine with single web
server
• In web farm, it's vital that all Web servers use
the same keys for MAC and/or encryption and
decryption
• Use shared key among all web servers

16. The ViewStateUserKey Property
• Must be assigned a string value in initialization
stage(Page_Init event)
• User-specific value as username, but can be
guessable
• Recommended value is SessionID
• Code would look this (Page_Init event)
– Page.ViewStateUserKey = Session.SessionID;

17. • Attacker(Evil Bob) requests a page
• Server salting ViewState hash
using attacker’s username(Evil
Bob)
• Attacker tricks Normal user(Alice)
to request server passing in his
view state
• Web server notices that Alice’s
ViewStateUserKey(“Alice”)
doesn’t match up with the
appended key (“Evil bob”) –
Exception is thrown

18. Thank you