My blog has moved and can now be found at

No action is needed on your part if you are already subscribed to this blog via e-mail or its syndication feed.

Thursday, September 23, 2004
« BizTalk Question RE: WSE adapter and X.5... | Main | Enforcing Password Complexity »

Robert has a great post in which he talks about some of the attacks that can be mounted against web sites.. In particular he gives good info on hidden field tampering, sql injection and cross-site scripting.

I just wanted to add a couple of notes to his most excellent comments on protecting the viewstate.  By default, view state transmitted to the client includes a salted hash. But you can also use the <machineKey> element to specify the encryption keys, validation keys and the particular algorithm used to protect both the forms authentication cookies as well as the page level view state.

<machineKey validationKey="AutoGenerate,IsolateApps" 
    decryptionKey="AutoGenerate,IsolateApps" validation="SHA1" />

The IsolateApps setting is new to .NET 1.1 and tells ASP.NET to automatically generate the encryption keys and make them unique for each app. The validation attribute specifies the algorithm used for checking the integrity of the page-level viewstate.

The caveat is that in a web farm scenario you would have to explicitly generate the keys to keep them the same across the web farm nodes. When you do so, make sure you use a cryptographically strong key.  I would highly suggest using Keith Brown's "GenerateMachineKey" utility which can be found on pluralsight's tools page.

The other thing that can be done is to key the view state to an individual using a unique value of your choice.  This option, which is again only available in ASP.NET 1.1, is the Page.ViewStateUserKey. This needs to be applied in Page_Init because the key has to be provided to ASP.NET before view state is loaded. Here is an example:

void Page_Init (Object sender, EventArgs e)

    if (User.Identity.IsAuthenticated)
        ViewStateUserKey = User.Identity.Name;

Make sure you check out Robert's blog entry...


Tags:: Security
9/23/2004 10:08 PM Eastern Daylight Time  |  Comments [0]  |  Disclaimer  |  Permalink   
Comments are closed.