-----------------------------------------------------------
New Message on BDOTNET
-----------------------------------------------------------
From: VBGURU
Message 1 in Discussion
www.aravinda.in A Portal Driven By Values; Powered by Passion
enableViewStateMac Gets or sets a value indicating whether ASP.NET should run a
message authentication check (MAC) on the page's view state when the page is
posted back from the client. Using enableViewStateMac requires that successive
requests be forwarded to the same server (i.e. server affinity). This feature
is used to help prevent tampering of a page's view state; however, it does so
based on an auto-generated validation key on the current server. From this
key, a message authentication code (MAC) is generated and sent in the ViewState
back to the browser. The problem is that if a POST back is performed and goes
to a different server, you will get a nice little error message saying
<st1:place w:st="on"><st1:PlaceName w:st="on">Corrupt</st1:PlaceName>
<st1:PlaceName w:st="on">View</st1:PlaceName> <st1:PlaceType
w:st="on">State</st1:PlaceType></st1:place>.
To fix this, you can either set enableViewStateMac to false in the <pages>
element or specify a common value for the validationKey attribute in the
<machineKey> element across all servers (in the farm).
EnableViewStateMAC does _not_ encrypt the ViewState. This setting creates a
MAC (Message Authentication Code) and appends that to the viewstate before
sending to the client.
After the post back to the server ASP.NET calculates the MAC again and finds
out if someone tampered the data on the client.
So you gain integrity protection - but not confidentiality, which is highly
recommended as you rely on data that's coming from outside your trust boundary
(=the client).
You can easily test yourself - modify the viewstate and send it back - you
should get an exception.
You'll find a tool called ViewStateDecoder from [url]www.pluralsight.com[/url]
to inspect the viewstate.
By the way, documentation says that this is OFF by default. That is incorrect!
Go check machine.config.
<!-- pages Attributes:
...
enableViewStateMac="[true|false]" // Default: false
<- Even the comment says that it is false.
...
-->
<pages
...
enableViewStateMac="true"
...
/>
<o:p> </o:p>
Visit
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfPagesSection.asp
for more details.
Visit http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/ for more
details.
Visit: nntp://news.microsoft.com/microsoft.public.dotnet.security/<[EMAIL
PROTECTED]>
-----------------------------------------------------------
To stop getting this e-mail, or change how often it arrives, go to your E-mail
Settings.
http://groups.msn.com/BDotNet/_emailsettings.msnw
Need help? If you've forgotten your password, please go to Passport Member
Services.
http://groups.msn.com/_passportredir.msnw?ppmprop=help
For other questions or feedback, go to our Contact Us page.
http://groups.msn.com/contact
If you do not want to receive future e-mail from this MSN group, or if you
received this message by mistake, please click the "Remove" link below. On the
pre-addressed e-mail message that opens, simply click "Send". Your e-mail
address will be deleted from this group's mailing list.
mailto:[EMAIL PROTECTED]
