How can you tell if viewstate in an ASP.Net application has been tampered with?
https://stackoverflow.com/questions/68764
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
During a discussion about security, a developer on my team asked if there was a way to tell if viewstate has been tampered with. I'm embarrassed to say that I didnt know the answer. I told him I would find out, but thought I would give someone on here a chance to answer first. I know there is some automatic validation, but is there a way to do it manually if event validation is not enabled?
Solution
EnableViewStateMac page directive
OTHER TIPS
ViewState by default is MIME encoded and hashed with a MAC key (either from the machine or from the web.config file), which helps prevent tampering (i.e. decoding blows up). You can also encrypt and compress ViewState if you like for further protection and less overhead, respectively. See MS ViewState and CodeProject.com
You might be able to do it manually, but you'd just be implementing the same algorithm that's already there for you. It's generally a bad idea to disable the ViewState validation on a page.
