Recently, learn viewstae, experience and summary as follows:
Since viewState is not formatted to clear text, some people sometimes think it is encrypted, but there is no. Instead, ViewState is just based on Base64 encoding to ensure that the value does not change during the round-trip process, and does not consider the response / request coding used by the application.
You can add two ViewState security levels to your application:
Tamper-proof encryption
It should be noted that viewState security has a direct impact on the time required to process and present the ASP.NET page. Simply put, the higher the safety, the slower the speed. So if you don't need it, please don't add security for ViewState.
Tamper
Although the hash code does not ensure the security of the actual data in the ViewState field, it can significantly reduce the likelihood that someone defrauds the application through ViewState, ie, prevents the return application usually prohibits the value of the user.
You can indicate a hash code to the ViewState field by setting the EnableViewStateMac property: ASP.NET is added to the ViewState field:
<% @ Page EnableViewStateMac = true%>
EnableViewStateMac can be set on the page level, or you can set it at the application level. At the time of return, the ASP.NET will generate a hash code for the ViewState data and compare it with the hash code stored in the return value. If the hash code does not match, the viewState data will be discarded, while the control will be restored to the original settings.
By default, ASP.NET uses the SHA1 algorithm to generate the ViewState hash code. In addition, the MD5 algorithm can also be selected by setting
encryption
Encryption can be used to protect the actual data values in the ViewState field. First, EnableViewStatmac = "True" must be set as described above. Then, set the MachineKey Validation type to 3DES. This will indicate that ASP.NET uses the Triple DES symmetrical encryption algorithm to encrypt the ViewState value.
ViewState security in web field
By default, ASP.NET will create a random verification key and store it in local security (LSA) of each server. To verify the ViewState field created on another server, the validationKey of the two servers must be set to the same value. If you want to pass through one of the above methods, you need to provide a ViewState security settings in the web domain configuration, you need to provide a unique, shared authentication key for all servers.
The verification key is a random string containing 20 to 64-bit password enhanced bytes, which is represented by 40 to 128 hexadecimal characters. The longer the key, the safer, so it is recommended to use 128 characters (if your computer is supported). E.g:
