Why ViewState doesn't work in ASP.NET?

Discussion in 'MCSD' started by jacksu, Feb 20, 2004.

  1. jacksu

    jacksu Guest

    I set the viewstate in page_load, and try to get it in the
    click function. But it shows NullPointException.

    Does ViewState only within one request? or can it go
    through session?

    Thanks.

    Jack
     
    jacksu, Feb 20, 2004
    #1
    1. Advertisements

  2. ViewState is good for each PostBack. If you don't postback, it goes away.
    After all, ViewState is data in hidden field.
     
    Hayato Iriumi, Feb 20, 2004
    #2
    1. Advertisements

  3. After all, ViewState is data in hidden field.
    .... and nothing more than that.

    Kline Sphere (Chalk) MCNGP #3
     
    The Poster Formerly Known as Kline Sphere, Feb 21, 2004
    #3
  4. It's encrypted, though, right?


     
    Brunswick Lowe, Feb 21, 2004
    #4
  5. It's encrypted, though, right?

    No, just encoded.

    Kline Sphere (Chalk) MCNGP #3
     
    The Poster Formerly Known as Kline Sphere, Feb 21, 2004
    #5
  6. jacksu

    UAError Guest

    Is only encrypted if in the machine.config:

    <machineKey validation='3DES' />


    Building Secure ASP.NET Applications
    Chapter 8: Page 187

    Securing View State

    If your ASP.NET Web applications use view state:
    - Ensure the integrity of view state (to ensure
    it is not altered in any way while in transit)
    by setting the enableViewStateMac to true as
    shown below. This causes ASP.NET to generate
    a Message Authentication Code (MAC) on the
    page’s view state when the page is posted
    back from the client.
    <% @ Page enableViewStateMac=true >
    - Configure the validation attribute on the
    <machineKey> element in Machine.config, to
    specify the type of encryption to use for data validation.
    Consider the following:
    - Secure Hash Algorithm 1 (SHA1) produces a larger hash
    size than Message Digest 5 (MD5) so it is considered
    more secure. However, view state protected with SHA1
    or MD5 can be decoded in transit or on the client
    side and can potentially be viewed in plain text
    - Use 3 Data Encryption Standard (3DES) to detect
    changes in the view state and to also encrypt it
    while in transit. When in this state, even if
    view state is decoded, it cannot be viewed in plain text.
     
    UAError, Feb 22, 2004
    #6
  7. Good point.

    However, any data which requires secure transmission should [also]
    have been secured at the start of the conversation, as is the case
    when using https. The problem with only using the viewstatemac setting
    is that information (i.e. that contained in form variables) is sent as
    part of the request to the server and naturally not encrypted. As
    such, it is only the __VIEWSTATE field which is encrypted on the
    server, which is then sent back to client as part of the response.


    Kline Sphere (Chalk) MCNGP #3
     
    The Poster Formerly Known as Kline Sphere, Feb 22, 2004
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.