Introduction to ASP.Net Viewstate
Download as PPTX, PDF1 like4,856 views
This document provides an introduction to ASP.NET ViewState. It discusses how ViewState is used to maintain state across postbacks in an HTTP protocol which is stateless. It describes where ViewState fits in the ASP.NET page lifecycle. It explains that ViewState persists state by storing name and value pairs in a base64 encoded string within a hidden form field. The document also covers best practices for using ViewState, including enabling and disabling it, potential security issues, and how to prevent tampering through encryption and using the ViewStateUserKey property.
![The View State Property
• Every control can stores its state
• Example
public string NavigateUrl
{
get {
string text = (string) ViewState["NavigateUrl"];
if (text != null)
return text;
else
return string.Empty;
}
set {
ViewState["NavigateUrl"] = value;
}
}
• whenever a control's property is read, the
control's ViewState is consulted](https://image.slidesharecdn.com/viewstate-101201022517-phpapp02/85/Introduction-to-ASP-Net-Viewstate-6-320.jpg)
![Storing Information in the Page's
ViewState Property
• persist page-specific and user-specific
information across postbacks
• Code would look like
– ViewState[keyName] = value
• example - creating a pageable, sortable DataGrid
• sort expression must be persisted across
postbacks](https://image.slidesharecdn.com/viewstate-101201022517-phpapp02/85/Introduction-to-ASP-Net-Viewstate-7-320.jpg)
Introduction to ASP.Net Viewstate
- 1. Introduction to ASP.NET ViewState - By Dhiraj Ranka (NII Consulting)
- 2. HTTP Protocol • Stateless • Uses cookies, sessions to maintain state • Where is ViewState in picture?
- 3. ASP.NET Page life cycle • verifying file access rights • resurrecting the user's session state (HTTP modules)
- 4. Page Life Cycle events
- 5. View State • persist state across post backs • store name and value pairs • “What sort of state needs to be persisted?” • in instantiation stage, control hierarchy is created • For example, <asp:Label runat="server" Font-Name="Verdana" Text="Hello, World!"></asp:Label>
- 6. The View State Property • Every control can stores its state • Example public string NavigateUrl { get { string text = (string) ViewState["NavigateUrl"]; if (text != null) return text; else return string.Empty; } set { ViewState["NavigateUrl"] = value; } } • whenever a control's property is read, the control's ViewState is consulted
- 7. Storing Information in the Page's ViewState Property • persist page-specific and user-specific information across postbacks • Code would look like – ViewState[keyName] = value • example - creating a pageable, sortable DataGrid • sort expression must be persisted across postbacks
- 8. The Cost of View State • Nothing comes for free, and view state is no exception • two performance hits for every request – In save view state control hierarchy is saved in base- 64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated – extra size to the Web page. Some times for view state- heavy pages can be tens of kilobytes
- 9. Enabling/Disabling ViewState • At control level – <asp:Label EnableViewState=“false”…></asp:Label> • At individual page level – <%@Page EnableViewState="False" %> – Page.EnableViewState = false; • At site/application level (in web.config) – <pages enableViewState="true">
- 10. View State and Security Implications • Its nothing but base-64 encoded string • Attacker can easily decode it, manipulate and encode back before sending it
- 11. Prevention • Tamper proofing • Encryption • The ViewStateUserKey Property
- 12. Tamper Proofing • Use a machine authentication check, or MAC • It ensure that the data received by a computer is the same data that it transmitted • hashing the view state data and appending this hash to the end of the view state • When post back occurs it checks to ensure that the appended hash matches up with the hashed value • default hashing algorithm used is SHA1 (MD5)
- 13. Generic Error
- 14. Encryption • To encrypt the view state, set the <machineKey> element's validation attribute in the machine.config file to 3DES – Can be SHA1, MD5, AES • the <machineKey> element contains validationKey and decryptionKey attributes • validationKey attribute for MAC • decryptionKey attribute for 3DES • Default values are “AutoGenerate,IsolateApp”
- 15. Concerns with Encryption • Previous settings works fine with single web server • In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption • Use shared key among all web servers
- 16. The ViewStateUserKey Property • Must be assigned a string value in initialization stage(Page_Init event) • User-specific value as username, but can be guessable • Recommended value is SessionID • Code would look this (Page_Init event) – Page.ViewStateUserKey = Session.SessionID;
- 17. • Attacker(Evil Bob) requests a page • Server salting ViewState hash using attacker’s username(Evil Bob) • Attacker tricks Normal user(Alice) to request server passing in his view state • Web server notices that Alice’s ViewStateUserKey(“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown
- 18. Thank you