ViewState in ASP.NET 1.x
ViewState is the mechanism ASP.NET uses to keep track of server control state values that don't otherwise post back as part of the HTTP form.
Read Susan Warren's excellent article Taking a Bite Out of ASP.NET ViewState in more detail about ViewState. I list facts about ViewState related to security:
- ViewState is merely base64-encoded
- ASP.NET to append a hashcode to the ViewState field if the EnableViewStateMAC is enabled
- By default, ASP.NET generates the ViewState hashcode using the SHA1 algorithm. You can select the MD5 algorithm by setting
in the machine.config file - Encryption First, set EnableViewStatMAC="true". Then, set the machineKey validation type to 3DES.
- ViewState Security on a Web Farm By default, ASP.NET creates a random validation key and stores it in each server's Local Security Authority (LSA). In order to validate a ViewState field created on another server, the validationKey for both servers must be set to the same value. The validation key is a string of 20 to 64 random, cryptographically-strong bytes, represented as 40 to 128 hexadecimal characters. A 128-character key is recommended for machines that support it.
When MAC checking is enabled, the serialized view state is appended a hash value that results from some server-side values and the view state user key, if any. Assuming a hacker has the skills to crack and rebuild the view state, he/she needs to know server-stored values to come up with a valid hash. Specifically, the hacker needs to know the machine key referenced in the machineKey entry of machine.config. So the view state is not at risk of tampering.
By default, the machineKey entry is autogenerated and physically stored in the Windows Local Security Authority (LSA). Only in case of Web farms—when the view state's machine keys must be the same on all machines—should you specify it as clear text in the machine.config file.
With the discussion above, ViewStateUserKey makes it much harder for hackers to use the content of the client-side view state to prepare malicious posts against the site.
posted by Wenfeng Gao @ 7:46 PM
5 comments
5 Comments:
тут на этом интернет-ресурсе собран огромный набор новостей о [url=http://www.rk-37.ru/]сайт для женщин бесплатно[/url].
on our official website , you can see a huge range of unique news [url=http://apple-televizor.ru/]http://apple-televizor.ru/[/url]
Nice post very helpful
dbakings
louis vuitton outlet, ugg boots, ray ban sunglasses, oakley sunglasses, louis vuitton outlet, longchamp pas cher, prada outlet, polo ralph lauren outlet, nike outlet, chanel handbags, louboutin outlet, longchamp outlet, louis vuitton, nike air max, cheap oakley sunglasses, longchamp outlet, jordan shoes, louis vuitton, nike free, tiffany and co, tory burch outlet, prada handbags, replica watches, nike roshe run, longchamp, louboutin, air max, ralph lauren pas cher, christian louboutin outlet, replica watches, louis vuitton, nike air max, kate spade outlet, louboutin pas cher, nike free, oakley sunglasses, sac longchamp, oakley sunglasses, polo ralph lauren outlet, louboutin shoes, uggs on sale, ray ban sunglasses, ray ban sunglasses, burberry, gucci outlet, oakley sunglasses, tiffany jewelry, ugg boots, air jordan pas cher, michael kors
montre pas cher, moncler outlet, moncler, karen millen, moncler, supra shoes, ugg pas cher, wedding dresses, swarovski, moncler, sac louis vuitton pas cher, doudoune canada goose, moncler, louis vuitton, pandora charms, canada goose, ugg,uggs,uggs canada, swarovski crystal, marc jacobs, hollister, moncler, toms shoes, louis vuitton, ugg boots uk, louis vuitton, canada goose uk, coach outlet, louis vuitton, moncler, canada goose, pandora charms, links of london, moncler, canada goose, canada goose outlet, pandora jewelry, juicy couture outlet, canada goose, thomas sabo, juicy couture outlet, pandora jewelry, bottes ugg, canada goose outlet, ugg,ugg australia,ugg italia, replica watches
Post a Comment
<< Home