ViewStateUserKey seems like a very useful feature to prevent some CSRF attacks. Why is it not enabled by default in asp.net applications?
Asked
Active
Viewed 1,710 times
0
-
1Probably because the value used to represent the user key varies in different situations; some use Session ID, some use user name. – Brian Mains Aug 30 '12 at 17:37
1 Answers
2
I tell some thoughts about:
The ViewStateUserKey can break the viewstate in a valid user and as result a valid user see an error. So its better to let it out, and only advanced programmers use it and know why the view state is break and handle it if possible.
Lets give you some examples.
If you use it as it is:
void Page_Init (Object sender, EventArgs e)
{
if (User.Identity.IsAuthenticated)
ViewStateUserKey = User.Identity.Name;
}
and see this steps.
- a valid logged in user see a GridView on a page that is not require logging.
- this user have left the page some time, and the logging is expired
- now is try to paging the gridview, and gets a viewstate break
Why, because is start the page using the ViewStateUserKey, but after is expired the ViewStateUserKey is now different (null because the user is not logged in now) and break the viewstate and at the same time this page is not required to be logged in, and not redirection is happens to ask for logging again.
With this simple example, that is really happened to me, I say that this parameter can break the view state and if this set by default is may lead to some issues like that.
relative: ViewStateUserKey + shared hosting + ViewStateMac validation failure
http://www.hanselman.com/blog/ViewStateUserKeyMakesViewStateMoreTamperresistant.aspx
http://msdn.microsoft.com/en-us/library/ms972969.aspx
Conclusion from experience.
If you use this key for any page that is not request login, and you are just in other pages logged in, this can easy create viewstate error on post back and break the page, and the post back. So you can not have it enable by default - and the one that use it must know this case I describe above.
