asp.net viewstate encryption

xandrr picture xandrr · Dec 4, 2008 · Viewed 8.6k times · Source

I have a few questions about when and how viewstate is encrypted in asp.net 3.5. For instance, if I have a machinekey entry in my web.config like: decryptionKey="AutoGenerate,IsolateApps" validation="AES" decryption="Auto" />

Is viewstate encrypted at this point? Or do I need to specify the viewStateEncryptionMode in the page section also?

Also, is it possible to encrypt a formsauthentication cookie, but not encrypt viewstate at the same time?

Thanks for any help.

Answer

Dan Esparza picture Dan Esparza · Dec 4, 2008

The controls on the page can request that encryption be used for the ViewState, but even this request can be overridden by the page setting.

The ViewStateEncryptionMode enumeration has three values: Auto, Always, and Never. The default value is Auto.

ViewStateEncryptionMode.Auto

In this mode, ASP.NET will encrypt the ViewState for a page if any control on the page requests it. Note that this means all of the ViewState is encrypted, not just the ViewState for the control that requests it. A large part of the performance cost associated with encryption is in the overhead. So encrypting the whole ViewState is faster than doing separate encryption operations if more than one control makes the request.

ViewStateEncryptionMode.Never

As you would expect, in this mode ASP.NET will not encrypt the ViewState, even if the application is set for encryption and controls on the page have requested it. If you know that no data involved in the page needs to be encrypted, then it may be safe to set the mode to Never. However, at this point it is rare for the documentation about a control to disclose what is being saved in ViewState, so you will want to be careful if there is a chance that sensitive data could be exposed.

ViewStateEncryptionMode.Always

In this mode, ASP.NET does not wait for a control in the page to request encryption. ViewState is always encrypted. When working with sensitive data, it is a good practice to utilize encryption.

Source: http://msdn.microsoft.com/en-us/library/aa479501.aspx