Reputation: 67
How and when viewstate encoding or hashing is done in asp.net
While studying about view state, it was said that, the view state value in hidden variable is base64 encoded or also hashed with mac value. So at the time, when the request is received by the server, the view state value is already encoded or hashed. So encoding and hashing is done before the request reaches server. So if they are able to encode or hash a particular value.encoding or hashing is possible even before the request is made or reaches the server, we can encode or hash each and every sensitive information in the form . Cos, using tools like fiddler, while the form is posted back , it reveals values of all the controls' value including password.
I don't know whether the question is correct or not. Kindly guide me.
Thanks in advance
Jonathon
Upvotes: 0
Views: 1284
Answers (1)
Reputation: 22456
The ViewState can contain data in several forms, e.g. strings, numbers, objects. In order to be able to transfer these data to the client on the response, the data need to be encoded in a string format, Base64 in this case. This doesn't have anything to do with encryption so you can view the information in Fiddler. By default, the ViewState is only encrypted if a control on the Page requests it (for details see this link).
The purpose of the ViewState is to store data in the page itself, send them to the client and receive the data again when the client posts the form to the server. Several mechanisms in ASP.NET build upon the ViewState. For instance, the text of a TextBox is stored in the ViewState when the page is sent to the client. When the PostBack reaches the server, the request contains both current text of the TextBox that might have been changed by the user. Also, the previous text of the TextBox is contained in the ViewState. The framework then compares the old value to the new one and raises the TextChanged event is any changes have been made.
It is important that the ViewState is not changed on the client as this could have severe effects on the application and its security. That's why a hash value is generated over the ViewState before the response is sent to the client. The hash value is contained in the response along with the ViewState. When the PostBack reaches the server, this hash value is used to check whether the ViewState has been changed at the client ("ViewState tampering"). In this case, an error is raised and the request is not processed.
For detailed information on the ViewState see this link.
Upvotes: 2
Related Questions
- How to get the value of built, encoded ViewState?
- How to decode viewstate
- What is ViewState? How is it encoded? Is it encrypted? Who uses ViewState?
- ASP.NET How ViewState works
- Where does the Encryption of ViewState (ViewStateEncryptionMode) happen?
- How is the ViewState used to save a value in browser?
- In which format is information stored in view state?
- How does Viewstate work internally
- What is the ASP ViewState?
- What's a good way to determine what's in my viewstate?