4

Due to some security concerns i need to enable View State Encryption. I have viewstate & viewstateMAC turned off but i need to encrypt the "control state" string that is included in the __VIEWSTATE form parameter.

Currently my web.config looks like:

    <pages enableViewState="false" enableViewStateMac="false">

When i set the following, in cassini, my viewstate is encrypted: 

    <pages enableViewState="false" enableViewStateMac="false" viewStateEncryptionMode="Always">

When i make the same change on my IIS 6 server, nothing happens.

I see the app domain recycle(Event: Application '/LM/W3SVC/...' located in 'C:...' initialized for domain '...'). when i touch web.config but i do not get encrypted viewstate as with cassini. I have tried Site Stop/Start, IIS Reset Stop/Start, Clear ASP.NET Temporary file cache. Anyone have any suggestions on what needs to be done to configure this?

felickz
  • 4,292
  • 3
  • 33
  • 37
  • ( i have asked this [before](http://stackoverflow.com/questions/6598199/asp-net-viewstate-encryption-issue) but the post got a bit too detailed... this is simplified as i am revisiting the issue!) – felickz Aug 23 '11 at 13:55
  • This doesn't answer your question, but since security is a concern, you should not set `enableViewStateMac` to `false`, and you should use the `ViewStateUserKey` property, to pretect you from CSRF attacks (which can happen even with an encrypted view state). Or even better, use this plugin: http://anticsrf.codeplex.com/. – Steven Aug 23 '11 at 14:19
  • Why do you have enableViewState set to false??? – James Johnson Aug 23 '11 at 15:37
  • I don't need it.. I have a custom built handler the acts as MVC on top of ASP.NET. Either way, so i changed my web.config to this and it still isn't encrypting: – felickz Aug 23 '11 at 18:13

1 Answers1

9

I ran into a similar problem with this and it came down to the fact that if you pre-compile your site the web.config node for pages is ignored. You have to set those settings at compile to get it working. I know this is year late, but I figure if someone else comes here looking for solution to the problem this might be useful information.

A little blurb about this: http://blogs.msdn.com/b/asiatech/archive/2011/07/19/pages-settings-don-t-work-for-pre-compiled-asp-net-applications.aspx

  • (Link dead - blog pointed to this documentation: ASP.NET Web Site Project Precompilation Overview )

  • My customer had a viewstate MAC validation problem. As a workaround, he wanted to disable the viewstate MAC validation before find out the final solution. However, he was still seeing the problems after added follow settings in the configuration files.

    Customer’s application is a pre-compiled ASP.Net application with updatable option disabled. Looking at the code generated by compiler with above settings, we found these settings are hard coded. So, this means simply add the above setting into web.config doesn’t affect a pre-compiled application. To make this taking affect, the application has to be re-compiled.

    [DebuggerNonUserCode]

    private void __BuildControlTree(default_aspx __ctrl)

    {

    __ctrl.EnableViewStateMac = false;

__ctrl.EnableEventValidation = false;

    __ctrl.ViewStateEncryptionMode = ViewStateEncryptionMode.Never;

    This is a by-design behavior.

felickz
  • 4,292
  • 3
  • 33
  • 37
HypnoticPancake
  • 136
  • 2
  • 3
  • This was exactly how we deployed "pre-compiled ASP.Net application with updatable option disabled" and very likely was my issue. Never too late, thanks for the answer! – felickz Dec 22 '12 at 19:59