473,626 Members | 3,183 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Viewstate Encryption

Hi,

I'm having a problem with viewstate encryption on one of my websites. To
encrypt the viewstate, I'm using the following lines in my web.Config file:

<pages theme="Default" viewStateEncryp tionMode="Alway s"
enableViewState Mac="true"></pages>

<machineKey validationKey=" AutoGenerate,Is olateApps"
decryptionKey=" AutoGenerate,Is olateApps"
validation="SHA 1" />

Although the viewstate is encrypted, it actually looks like an MD5 hash.
Additionaly, the viewstate value attribute contains exactly the same no
matter what I've put in the validation block (e.g.MD5, AES, 3DES, SHA1).

Am I missing something blindingly obvious?

Any help appreciated!
Cheers,
Dave F.
Nov 19 '07 #1
4 5078
Isn't there an enableViewState ="true" attribute you can add? Because what you
are describing sounds like "no ViewState"..
---Peter
"Inside every large program, there is a small program trying to get out."
http://www.eggheadcafe.com
http://petesbloggerama.blogspot.com
http://www.blogmetafinder.com

"DavidF" wrote:
Hi,

I'm having a problem with viewstate encryption on one of my websites. To
encrypt the viewstate, I'm using the following lines in my web.Config file:

<pages theme="Default" viewStateEncryp tionMode="Alway s"
enableViewState Mac="true"></pages>

<machineKey validationKey=" AutoGenerate,Is olateApps"
decryptionKey=" AutoGenerate,Is olateApps"
validation="SHA 1" />

Although the viewstate is encrypted, it actually looks like an MD5 hash.
Additionaly, the viewstate value attribute contains exactly the same no
matter what I've put in the validation block (e.g.MD5, AES, 3DES, SHA1).

Am I missing something blindingly obvious?

Any help appreciated!
Cheers,
Dave F.
Nov 19 '07 #2
Hi Dave,

Please note the SHA1 and MD5 are used to tamper proof ViewState and, if
configured, the forms authentication ticket. Only the AES and 3DES are
supported to encrypt ViewState:

#How To: Configure MachineKey in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998288.aspx
<quote>
SHA1每SHA1 is used to tamper proof ViewState and, if configured, the forms
authentication ticket. When SHA1 is selected for the validation attribute,
the algorithm used is HMACSHA1.
MD5每MD5 is used to tamper proof ViewState and, if configured, the forms
authentication ticket.
AES每AES is used to encrypt ViewState with the key specified in the
decryptionKey attribute.
3DES每3DES is used to encrypt ViewState with the key specified in the
decryptionKey attribute. This is the only way to encrypt ViewState in
ASP.NET 1.1. Both the forms authentication ticket and the ViewState are
tamper-proofed using SHA-1 and the key specified in the validationKey
attribute. Because the validation attribute is overloaded in ASP.NET 1.1,
ASP.NET 2.0 introduces a new decryption attribute.
</quote>
Also, it's recommended to use AES instead of 3DES:

#You may receive an error message when you access ASP.NET Web pages that
have ViewState enabled after you upgrade from ASP.NET 1.1 to ASP.NET 2.0
http://support.microsoft.com/kb/911722
<quote>
Theoretically, the 3DES algorithm is less secure than the AES (Rijndael)
algorithm. We recommend that you use the AES algorithm whenever possible to
help secure your system.
</quote>
Hope this helps.
Regards,
Walter Wang (wa****@online. microsoft.com, remove 'online.')
Microsoft Online Community Support

=============== =============== =============== =====
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=============== =============== =============== =====

This posting is provided "AS IS" with no warranties, and confers no rights.

Nov 20 '07 #3
Thanks for your response Peter.

Adding the enableViewState ="true" doesn't seem to make any difference (I was
also under the impression that ViewState="true " by default). Even with the
page (and machine key) elements as:

<pages theme="Default" enableViewState ="true"
viewStateEncryp tionMode="Alway s" enableViewState Mac="true"></pages>

<machineKey validationKey=" AutoGenerate,Is olateApps"
decryptionKey=" AutoGenerate,Is olateApps"
validation="SHA 1" />

The resulting ViewState block looks like:

<input type="hidden" name="__VIEWSTA TE" id="__VIEWSTATE "
value="1qcK2zxo ...<snip>...Q+w vmxyDP4=" />
Changing the validation value to any of the other values results in an
identical viewstate block - the only way I can see that the value changes is
if I remove the encryption - at which point it reverts back to the Base64
encoding.

Cheers,
Dave
"Peter Bromberg [C# MVP]" <pb*******@yaho o.NoSpamMaam.co mwrote in message
news:A1******** *************** ***********@mic rosoft.com...
Isn't there an enableViewState ="true" attribute you can add? Because what
you
are describing sounds like "no ViewState"..
---Peter
"Inside every large program, there is a small program trying to get out."
http://www.eggheadcafe.com
http://petesbloggerama.blogspot.com
http://www.blogmetafinder.com

"DavidF" wrote:
>Hi,

I'm having a problem with viewstate encryption on one of my websites. To
encrypt the viewstate, I'm using the following lines in my web.Config
file:

<pages theme="Default" viewStateEncryp tionMode="Alway s"
enableViewStat eMac="true"></pages>

<machineKey validationKey=" AutoGenerate,Is olateApps"
decryptionKey=" AutoGenerate,Is olateApps"
validation="SHA 1" />

Although the viewstate is encrypted, it actually looks like an MD5 hash.
Additionaly, the viewstate value attribute contains exactly the same no
matter what I've put in the validation block (e.g.MD5, AES, 3DES, SHA1).

Am I missing something blindingly obvious?

Any help appreciated!
Cheers,
Dave F.

Nov 20 '07 #4
Thanks Walter,

Appreciate the comment and will be using 3DES once I can actually get it to
encrypt!

Cheers,
Dave
""Walter Wang [MSFT]"" <wa****@online. microsoft.comwr ote in message
news:Sv******** ******@TK2MSFTN GHUB02.phx.gbl. ..
Hi Dave,

Please note the SHA1 and MD5 are used to tamper proof ViewState and, if
configured, the forms authentication ticket. Only the AES and 3DES are
supported to encrypt ViewState:

#How To: Configure MachineKey in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998288.aspx
<quote>
SHA1每SHA1 is used to tamper proof ViewState and, if configured, the forms
authentication ticket. When SHA1 is selected for the validation attribute,
the algorithm used is HMACSHA1.
MD5每MD5 is used to tamper proof ViewState and, if configured, the forms
authentication ticket.
AES每AES is used to encrypt ViewState with the key specified in the
decryptionKey attribute.
3DES每3DES is used to encrypt ViewState with the key specified in the
decryptionKey attribute. This is the only way to encrypt ViewState in
ASP.NET 1.1. Both the forms authentication ticket and the ViewState are
tamper-proofed using SHA-1 and the key specified in the validationKey
attribute. Because the validation attribute is overloaded in ASP.NET 1.1,
ASP.NET 2.0 introduces a new decryption attribute.
</quote>
Also, it's recommended to use AES instead of 3DES:

#You may receive an error message when you access ASP.NET Web pages that
have ViewState enabled after you upgrade from ASP.NET 1.1 to ASP.NET 2.0
http://support.microsoft.com/kb/911722
<quote>
Theoretically, the 3DES algorithm is less secure than the AES (Rijndael)
algorithm. We recommend that you use the AES algorithm whenever possible
to
help secure your system.
</quote>
Hope this helps.
Regards,
Walter Wang (wa****@online. microsoft.com, remove 'online.')
Microsoft Online Community Support

=============== =============== =============== =====
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=============== =============== =============== =====

This posting is provided "AS IS" with no warranties, and confers no
rights.

Nov 20 '07 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics
4
378
Viewstate
by: A.M | last post by:
Hi, Even I have <@Page ... enableViewState="False"> on top of the page, still my page result has this line in html source: <input type="hidden" name="__VIEWSTATE" value="dDwtNDA5MjAwODMzOzs+oEzHP8LaGy6LbKZFvbULn4iCHX8=" /> How can I completely disable ViewState ?
ASP.NET
1
2903
Client VBScript and Viewstate for ASP .NET Webpage
by: Joseph Morales | last post by:
I'm trying to code a free-standing VBScript, executed by Windows Script Host on a client system, to push a button on an ASP .NET webpage that is hosted by another server. Note that the script is not part of a webpage and does not execute in a web browser. Instead, the script uses Msxml2.XMLHTTP to send an HTTP request. To figure out what to include in the request body, I used a Proxy Trace utility and captured the data that is sent when you...
ASP.NET
5
1398
Puzzled about viewstate error
by: jeff29_b | last post by:
We have in our site the pages tag in the webroot tag like so. <pages enableViewState="true" enableViewStateMac="false" /> But we are still getting errors during LoadPageStateFromPersistenceMedium. The stack trace is like so -
ASP.NET
1
2585
crypographic and viewstate errors
by: scottrm | last post by:
Hi We have been getting 2 intermitent errors in the event log detailed below. They are occurring on a server where the web site is stopping responding periodically and needs to be brought back up by recycling the application pool. We have 2 servers which are hardware load balanced with sticky sessions We are on Windows 2003 SP1 and .Net framework V2.0 1.
ASP.NET
6
6247
viewstate error
by: scottrm | last post by:
Hi Users seem to be getting the following intermitent error whe they post a form. Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKeyconfiguration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
ASP.NET
1
2267
Viewstate Error in Production Server (IIS 6.0/ASP.NET)
by: Nishant | last post by:
Hi all, We are facing a strange problem in our production environment. We are running an ASP.NET web application under IIS 6.0 with Windows Server 2003 64-bit (There are 2 CPUs). The users are frequently getting an "Invalid_Viewstate" error. The error description is "Unable to validate data". The exception is "System.Web.HttpException: Authentication of viewstate failed" Can anyone help?
ASP.NET
3
2016
ViewState corrupted?
by: Velvet | last post by:
My site is randomly firing off a "ExceptionHttpException : Unable to validate data. " error on some of its forms. ------- HttpException : Unable to validate data. http://www.developerfusion.co.uk/Members/Private/EditProfile .aspx (Referred by http://www.developerfusion.co.uk/Members/Private/EditProfile .aspx) at System.Web.Configuration.MachineKeySection.GetDecodedData(By te buf, Byte modifier, Int32 start, Int32 length, Int32&...
ASP.NET
0
982
Viewstate expires
by: =?Utf-8?B?Q2hyaXMgRGF2b2xp?= | last post by:
I wqas told to put a machine key into the web config so it would do the encryption the same. I did that and I still get the following error. Any other suggestions? I store some stuff in view state and then if I leave the browser instance alone say for 20 minutes, it gives me this message when I go to retrieve from viewstate. Before it expires it works perfectly. Is there anything I can do to not have it expire? Or what is it doing? IT...
ASP.NET
1
2728
ViewState error with Session Affinity and Web Farm on ISA Server
by: =?Utf-8?B?VmlqYXkgQ2hpa3Rl?= | last post by:
Hi Experts, With Session Affinity and Web Server Farm on ISA Server 2006 accessing 2 backend IIS servers, Im getting error Validation of ViewState MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKeyconfiguration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. Here is the scenario when I got the error.
C# / C Sharp
0
8196
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
Windows Server
0
8705
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
C / C++
0
8637
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
Online Marketing
0
8504
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
General
1
6125
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupr who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
Microsoft Access / VBA
0
5574
Couldnt get equations in html when convert word .docx file to html file in C#.
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
C# / C Sharp
0
4092
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
Networking - Hardware / Configuration
0
4197
Windows Forms - .Net 8.0
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
Visual Basic .NET
1
2625
transfer the data from one system to another through ip address
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
C# / C Sharp

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us