Monday, 24 February 2014

Encrypt ViewState in ASP.NET

To reduce the chance of someone intercepting the info stored in the ViewState, it is good design to encode the ViewState.
There are different ways algorithms for doing the encryption for view state like SHA1,MD5 and 3DES. (I am not explaining the details about the algorithm in this articles)
Most popular algorithm for encrypting the ViewState is 3DES.
   <machineKey validation="3DES" />
   <pages  enableViewStateMac="true" >
On above code I have just enable the View Stte Mac and the encryption will be done as 3DES alogorithum.
he ViewStateEncryptionMode enumeration has three values: Auto, Always, and Never. The default value is Auto.
Auto :  ASP.NET will encrypt the ViewState for a page if any control on the page requests it. Note that this means all of the ViewState is encrypted, not just the ViewState for the control that requests it.
Never : in this mode ASP.NET will not encrypt the ViewState, even if the application is set for encryption and controls on the page have requested it
Always : In this mode, ASP.NET does not wait for a control in the page to request encryption. ViewState is always encrypted. When working with sensitive data, it is a good practice to utilize encryption.
You can Encrypt the view state either by page directive.
  <%@Page ViewStateEncryptionMode="Always" >
Or in web.Config file
       <pages ViewStateEncryptionMode="Always"/>
After using all the encryption options your config file will be look as:
   <machineKey validation="3DES" />
   <pages viewStateEncryptionMode="Never" enableViewStateMac="true" >


No comments:

Post a Comment