Introduction to ASP.Net Viewstate

null0x00 4,850 views 18 slides Dec 01, 2010
Slide 1
Slide 1 of 18
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18

About This Presentation

Introduction to ASP.Net Viewstate by Dhiraj Ranka @ null Mumbai Meet, November, 2010

Size: 562.04 KB
Language: en
Added: Dec 01, 2010
Slides: 18 pages

Slide Content

Introduction to ASP.NET ViewState - By Dhiraj Ranka (NII Consulting)

HTTP Protocol Stateless  Uses cookies, sessions to maintain state Where is ViewState in picture?

ASP.NET Page life cycle verifying file access rights resurrecting the user's session state (HTTP modules)

Page Life Cycle events

View State persist state across post backs store name and value pairs “What sort of state needs to be persisted?” in instantiation stage, control hierarchy is created For example, < asp:Label runat ="server" Font-Name="Verdana" Text="Hello, World!"></ asp:Label >

The View State Property Every control can stores its state Example public string NavigateUrl { get { string text = (string) ViewState [" NavigateUrl "]; if (text != null) return text; else return string.Empty ; } set { ViewState [" NavigateUrl "] = value; } } whenever a control's property is read, the control's ViewState is consulted

Storing Information in the Page's ViewState Property persist page-specific and user-specific information across postbacks Code would look like ViewState [ keyName ] = value example - creating a pageable , sortable DataGrid sort expression must be persisted across postbacks

The Cost of View State Nothing comes for free, and view state is no exception two performance hits for every request In save view state control hierarchy is saved in base-64 encoded string which is emitted in “__VIEWSTATE” hidden form field and in load view state the same is decoded and control hierarchy is updated extra size to the Web page. Some times for view state-heavy pages can be tens of kilobytes 

Enabling/Disabling ViewState At control level < asp:Label EnableViewState =“false”…></ asp:Label > At individual page level <%@Page EnableViewState ="False" %> Page.EnableViewState = false ; At site/application level (in web.config ) <pages enableViewState ="true">

View State and Security Implications Its nothing but base-64 encoded string Attacker can easily decode it, manipulate and encode back before sending it

Prevention Tamper proofing Encryption The ViewStateUserKey Property

Tamper Proofing Use a machine authentication check , or MAC It ensure that the data received by a computer is the same data that it transmitted hashing the view state data and appending this hash to the end of the view state When post back occurs it checks to ensure that the appended hash matches up with the hashed value default hashing algorithm used is SHA1 (MD5)

Generic Error

Encryption To encrypt the view state, set the < machineKey > element's validation attribute in the machine.config file to 3DES Can be SHA1, MD5, AES the < machineKey > element contains validationKey and decryptionKey attributes validationKey attribute for MAC decryptionKey attribute for 3DES Default values are “ AutoGenerate,IsolateApp ”

Concerns with Encryption Previous settings works fine with single web server In web farm, it's vital that all Web servers use the same keys for MAC and/or encryption and decryption Use shared key among all web servers

The ViewStateUserKey Property Must be assigned a string value in initialization stage( Page_Init event) User-specific value as username, but can be guessable Recommended value is SessionID Code would look this ( Page_Init event) Page.ViewStateUserKey = Session.SessionID ;

Attacker(Evil Bob) requests a page Server salting ViewState hash using attacker’s username(Evil Bob) Attacker tricks Normal user(Alice) to request server passing in his view state Web server notices that Alice’s ViewStateUserKey (“Alice”) doesn’t match up with the appended key (“Evil bob”) – Exception is thrown

Thank you
Tags
aspnet viewstate
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 4,850
  • Slides 18
  • Favorites 1
  • Age 5481 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
34 views
Know for Certain 21
Know for Certain
DaveSinNM
22 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category