Tom Ritter <> writes:

>What's weird is I find confusing literature about what *is* the default for
>protecting the viewstate.

I still haven't seen the paper/slides from the talk so it's a bit hard to
comment on the specifics, but if you're using .NET's FormsAuthenticationTicket
(for cookie-based auth, not viewstate protection) then you get MAC protection
built-in, along with other nice features like sliding cookie expiration (the
cookie expires relative to the last active use of the site rather than an
absolute time after it was set).  I've used it in the past as an example of
how to do cookie-based auth right


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to