|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
How do I test enableViewStateMAC?EnableViewStateMAC does _not_ encrypt the ViewState (the docs are wrong). This setting creates a MAC (Message Authentication Code) and appends that to the viewstate before sending to the client. After the post back to the server ASP.NET calculates the MAC again and finds out if someone tampered the data on the client. So you gain integrity protection - but not confidentiality, which is highly recommended as you rely on data that's coming from outside your trust boundary (=the client). You can easily test yourself - modify the viewstate and send it back - you should get an exception. Why would you like to encrypt it? PS. You'll find a tool called ViewStateDecoder from www.pluralsight.com to inspect the viewstate. --- Dominick Baier - DevelopMentor http://www.leastprivilege.com nntp://news.microsoft.com/microsoft.public.dotnet.security/<d39c956e.0503180144.6f4a8***@posting.google.com> Hi, Im just wondering, I set the enableViewStateMAC to true and the machineKey validation to 3DES is my web.config. How do I test my asp.net pages if its really working? Thanks! Mayet [microsoft.public.dotnet.security]  |
|||||||||||||||||||||||
Other interesting topics