-----------------------------------------------------------
New Message on MumbaiUserGroup
-----------------------------------------------------------
From: VBGuru
Message 1 in Discussion
www.aravinda.in A Portal
Driven By Values; Powered by Passion enableViewStateMac Gets or sets a value
indicating whether ASP.NET should run a message authentication check (MAC) on
the page's view state when the page is posted back from the client. Using
enableViewStateMac requires that successive requests be forwarded to the same
server (i.e. server affinity). This feature is used to help prevent tampering
of a page's view state; however, it does so based on an auto-generated
validation key on the current server. >From this key, a message authentication
code (MAC) is generated and sent in the ViewState back to the browser. The
problem is that if a POST back is performed and goes to a different server, you
will get a nice little error message saying <st1:place
w:st="on"><st1:PlaceName w:st="on">Corrupt</st1:PlaceName> <st1:PlaceName
w:st="on">View</st1:PlaceName> <st1:PlaceType
w:st="on">State</st1:PlaceType></st1:place>.
To fix this, you can either set enableViewStateMac to false in the <pages>
element or specify a common value for the validationKey attribute in the
<machineKey> element across all servers (in the farm).
EnableViewStateMAC does _not_ encrypt the ViewState. This setting creates a
MAC (Message Authentication Code) and appends that to the viewstate before
sending to the client.
After the post back to the server ASP.NET calculates the MAC again and finds
out if someone tampered the data on the client.
So you gain integrity protection - but not confidentiality, which is highly
recommended as you rely on data that's coming from outside your trust boundary
(=the client).
You can easily test yourself - modify the viewstate and send it back - you
should get an exception.
You'll find a tool called ViewStateDecoder from [url]www.pluralsight.com[/url]
to inspect the viewstate.
By the way, documentation says that this is OFF by default. That is incorrect!
Go check machine.config.
<!-- pages Attributes:
...
enableViewStateMac="[true|false]" // Default: false
<- Even the comment says that it is false.
...
-->
<pages
...
enableViewStateMac="true"
...
/>
<o:p> </o:p>
Visit
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfPagesSection.asp
for more details.
Visit http://msdn.microsoft.com/msdnmag/issues/03/02/CuttingEdge/ for more
details.
Visit: nntp://news.microsoft.com/microsoft.public.dotnet.security/<[EMAIL
PROTECTED]>
-----------------------------------------------------------
To stop getting this e-mail, or change how often it arrives, go to your E-mail
Settings.
http://groups.msn.com/MumbaiUserGroup/_emailsettings.msnw
Need help? If you've forgotten your password, please go to Passport Member
Services.
http://groups.msn.com/_passportredir.msnw?ppmprop=help
For other questions or feedback, go to our Contact Us page.
http://groups.msn.com/contact
If you do not want to receive future e-mail from this MSN group, or if you
received this message by mistake, please click the "Remove" link below. On the
pre-addressed e-mail message that opens, simply click "Send". Your e-mail
address will be deleted from this group's mailing list.
mailto:[EMAIL PROTECTED]
