473,326 Members | 2,023 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Viewstate Encryption

Hi,

I'm having a problem with viewstate encryption on one of my websites. To
encrypt the viewstate, I'm using the following lines in my web.Config file:

<pages theme="Default" viewStateEncryptionMode="Always"
enableViewStateMac="true"></pages>

<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" />

Although the viewstate is encrypted, it actually looks like an MD5 hash.
Additionaly, the viewstate value attribute contains exactly the same no
matter what I've put in the validation block (e.g.MD5, AES, 3DES, SHA1).

Am I missing something blindingly obvious?

Any help appreciated!
Cheers,
Dave F.
Nov 19 '07 #1
4 5066
Isn't there an enableViewState="true" attribute you can add? Because what you
are describing sounds like "no ViewState"..
---Peter
"Inside every large program, there is a small program trying to get out."
http://www.eggheadcafe.com
http://petesbloggerama.blogspot.com
http://www.blogmetafinder.com

"DavidF" wrote:
Hi,

I'm having a problem with viewstate encryption on one of my websites. To
encrypt the viewstate, I'm using the following lines in my web.Config file:

<pages theme="Default" viewStateEncryptionMode="Always"
enableViewStateMac="true"></pages>

<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" />

Although the viewstate is encrypted, it actually looks like an MD5 hash.
Additionaly, the viewstate value attribute contains exactly the same no
matter what I've put in the validation block (e.g.MD5, AES, 3DES, SHA1).

Am I missing something blindingly obvious?

Any help appreciated!
Cheers,
Dave F.
Nov 19 '07 #2
Hi Dave,

Please note the SHA1 and MD5 are used to tamper proof ViewState and, if
configured, the forms authentication ticket. Only the AES and 3DES are
supported to encrypt ViewState:

#How To: Configure MachineKey in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998288.aspx
<quote>
SHA1¨CSHA1 is used to tamper proof ViewState and, if configured, the forms
authentication ticket. When SHA1 is selected for the validation attribute,
the algorithm used is HMACSHA1.
MD5¨CMD5 is used to tamper proof ViewState and, if configured, the forms
authentication ticket.
AES¨CAES is used to encrypt ViewState with the key specified in the
decryptionKey attribute.
3DES¨C3DES is used to encrypt ViewState with the key specified in the
decryptionKey attribute. This is the only way to encrypt ViewState in
ASP.NET 1.1. Both the forms authentication ticket and the ViewState are
tamper-proofed using SHA-1 and the key specified in the validationKey
attribute. Because the validation attribute is overloaded in ASP.NET 1.1,
ASP.NET 2.0 introduces a new decryption attribute.
</quote>
Also, it's recommended to use AES instead of 3DES:

#You may receive an error message when you access ASP.NET Web pages that
have ViewState enabled after you upgrade from ASP.NET 1.1 to ASP.NET 2.0
http://support.microsoft.com/kb/911722
<quote>
Theoretically, the 3DES algorithm is less secure than the AES (Rijndael)
algorithm. We recommend that you use the AES algorithm whenever possible to
help secure your system.
</quote>
Hope this helps.
Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

Nov 20 '07 #3
Thanks for your response Peter.

Adding the enableViewState="true" doesn't seem to make any difference (I was
also under the impression that ViewState="true" by default). Even with the
page (and machine key) elements as:

<pages theme="Default" enableViewState="true"
viewStateEncryptionMode="Always" enableViewStateMac="true"></pages>

<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" />

The resulting ViewState block looks like:

<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="1qcK2zxo...<snip>...Q+wvmxyDP4=" />
Changing the validation value to any of the other values results in an
identical viewstate block - the only way I can see that the value changes is
if I remove the encryption - at which point it reverts back to the Base64
encoding.

Cheers,
Dave
"Peter Bromberg [C# MVP]" <pb*******@yahoo.NoSpamMaam.comwrote in message
news:A1**********************************@microsof t.com...
Isn't there an enableViewState="true" attribute you can add? Because what
you
are describing sounds like "no ViewState"..
---Peter
"Inside every large program, there is a small program trying to get out."
http://www.eggheadcafe.com
http://petesbloggerama.blogspot.com
http://www.blogmetafinder.com

"DavidF" wrote:
>Hi,

I'm having a problem with viewstate encryption on one of my websites. To
encrypt the viewstate, I'm using the following lines in my web.Config
file:

<pages theme="Default" viewStateEncryptionMode="Always"
enableViewStateMac="true"></pages>

<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" />

Although the viewstate is encrypted, it actually looks like an MD5 hash.
Additionaly, the viewstate value attribute contains exactly the same no
matter what I've put in the validation block (e.g.MD5, AES, 3DES, SHA1).

Am I missing something blindingly obvious?

Any help appreciated!
Cheers,
Dave F.

Nov 20 '07 #4
Thanks Walter,

Appreciate the comment and will be using 3DES once I can actually get it to
encrypt!

Cheers,
Dave
""Walter Wang [MSFT]"" <wa****@online.microsoft.comwrote in message
news:Sv**************@TK2MSFTNGHUB02.phx.gbl...
Hi Dave,

Please note the SHA1 and MD5 are used to tamper proof ViewState and, if
configured, the forms authentication ticket. Only the AES and 3DES are
supported to encrypt ViewState:

#How To: Configure MachineKey in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998288.aspx
<quote>
SHA1¨CSHA1 is used to tamper proof ViewState and, if configured, the forms
authentication ticket. When SHA1 is selected for the validation attribute,
the algorithm used is HMACSHA1.
MD5¨CMD5 is used to tamper proof ViewState and, if configured, the forms
authentication ticket.
AES¨CAES is used to encrypt ViewState with the key specified in the
decryptionKey attribute.
3DES¨C3DES is used to encrypt ViewState with the key specified in the
decryptionKey attribute. This is the only way to encrypt ViewState in
ASP.NET 1.1. Both the forms authentication ticket and the ViewState are
tamper-proofed using SHA-1 and the key specified in the validationKey
attribute. Because the validation attribute is overloaded in ASP.NET 1.1,
ASP.NET 2.0 introduces a new decryption attribute.
</quote>
Also, it's recommended to use AES instead of 3DES:

#You may receive an error message when you access ASP.NET Web pages that
have ViewState enabled after you upgrade from ASP.NET 1.1 to ASP.NET 2.0
http://support.microsoft.com/kb/911722
<quote>
Theoretically, the 3DES algorithm is less secure than the AES (Rijndael)
algorithm. We recommend that you use the AES algorithm whenever possible
to
help secure your system.
</quote>
Hope this helps.
Regards,
Walter Wang (wa****@online.microsoft.com, remove 'online.')
Microsoft Online Community Support

==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================

This posting is provided "AS IS" with no warranties, and confers no
rights.

Nov 20 '07 #5

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

4
by: A.M | last post by:
Hi, Even I have <@Page ... enableViewState="False"> on top of the page, still my page result has this line in html source: <input type="hidden" name="__VIEWSTATE"...
1
by: Joseph Morales | last post by:
I'm trying to code a free-standing VBScript, executed by Windows Script Host on a client system, to push a button on an ASP .NET webpage that is hosted by another server. Note that the script is...
5
by: jeff29_b | last post by:
We have in our site the pages tag in the webroot tag like so. <pages enableViewState="true" enableViewStateMac="false" /> But we are still getting errors during...
1
by: scottrm | last post by:
Hi We have been getting 2 intermitent errors in the event log detailed below. They are occurring on a server where the web site is stopping responding periodically and needs to be brought back...
6
by: scottrm | last post by:
Hi Users seem to be getting the following intermitent error whe they post a form. Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that...
1
by: Nishant | last post by:
Hi all, We are facing a strange problem in our production environment. We are running an ASP.NET web application under IIS 6.0 with Windows Server 2003 64-bit (There are 2 CPUs). The users are...
3
by: Velvet | last post by:
My site is randomly firing off a "ExceptionHttpException : Unable to validate data. " error on some of its forms. ------- HttpException : Unable to validate data....
0
by: =?Utf-8?B?Q2hyaXMgRGF2b2xp?= | last post by:
I wqas told to put a machine key into the web config so it would do the encryption the same. I did that and I still get the following error. Any other suggestions? I store some stuff in view...
1
by: =?Utf-8?B?VmlqYXkgQ2hpa3Rl?= | last post by:
Hi Experts, With Session Affinity and Web Server Farm on ISA Server 2006 accessing 2 backend IIS servers, I’m getting error “Validation of ViewState MAC failed. If this application is hosted...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.