1 Reply Latest reply on Apr 20, 2012 1:25 PM by WillB

    .netviewstate and encryption

    Matthew Mangold Lurker

      While scanning one of our web applications I got an vulnerability that stated .netviewstate was not encrypted.  Is this a big deal if you are using SSL? 

        • .netviewstate and encryption
          WillB Level 4

          SSL protects you from others seeing a user's traffic, but in these case you are trying to protect your application from the user viewing or altering information that is contained in the request.  So the SSL doesn't really help since it is the user you are worried about (think malicious user).


          The viewstate can contain information that is passed along during a session and in some cases could contain data that you don't want to have the user be able to see or modify from request to request.  This is a rare situation as most data contained in a viewstate will not be of much significance.  But the best practice is to encrypt the viewstate to protect against the rare situation in which it may have sensitive information or allow modification in a way that would cause the application an issue.  Encryption keeps the user from being able to read or tamper with the viewstate information.  There really is no good reason not to encrypt except that it takes a few extra CPU cycles to perform the encryption.



          Hope this helps