C# .NET - EnableViewStateMac

Asked By Naresh Kumar on 22-Jan-10 01:02 AM
Hi all,

Can any one please explain me about "EnableViewStateMac".

Thanks in advance.

EnableViewStateMac

Kalit Sikka replied to Naresh Kumar on 22-Jan-10 01:04 AM
A EnableViewStateMAC is encoded version of the hidden variable that a page's viewstate is persisted to when sent to the browser.When EnableViewStateMAC is true for a page, the encoded and encrypted viewstate is checked to verify that it has not been tempered with on the client machine. 

re

Santhosh N replied to Naresh Kumar on 22-Jan-10 01:16 AM
In order to make the view state more secure, the ASP.NET @Page directive supports an attribute called EnableViewStateMac whose only purpose is detecting any possible attempt at corrupting original data. (The "Mac" in EnableViewStateMac stands for machine authentication check and, despite what some documentation claims, it is enabled by default.) When serialized, and if EnableViewStateMac is set to True, the view state is appended with a validator hash string based on the algorithm and the key defined in the <machineKey> section of the machine.config file. By default, the encryption algorithm is SHA1 and the encryption and decryption keys are auto-generated and stored in the Web server machine's Local Security Authority (LSA) subsystem. The LSA is a protected component of Windows NT®, Windows® 2000, and Windows XP. It provides security services and maintains information about all aspects of local security on a system.
If EnableViewStateMac is True, then when the page posts back the encrypted view state is algorithmically checked to verify that it has not been tampered with on the client. The net effect is that you might be able to read the contents of the view state, but to replace it you need the encryption key, which is in the Web server's LSA.
Read on http://msdn.microsoft.com/en-us/magazine/cc188774.aspx for further info on this

re

Web Star replied to Naresh Kumar on 22-Jan-10 01:19 AM

 EnableViewStateMac -- this is property of the Page directives which gets or sets a value indicating whether ASP.NET should verify message authentication codes (MAC) in the page's view state when the page is posted back from the client.

more details is here http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableviewstatemac.aspx

Re
Naresh Kumar replied to Santhosh N on 22-Jan-10 02:00 AM
Thanks a lot.
re - EnableViewStateMac
DL M replied to Naresh Kumar on 22-Jan-10 03:09 AM
show this article
http://authors.aspalliance.com/PaulWilson/Articles/default.aspx?id=7&Print=True
http://www.dotnetspider.com/resources/1855-ASP-NET-Viewstate.aspx
REPLY
paresh tank replied to Naresh Kumar on 22-Jan-10 03:51 AM

EnableViewStateMacIndicates that ASP.NET should run a machine authentication check (MAC) on the page's view state when the page is posted back from the client. true if view state should be MAC checked; otherwise, false. The default is false.Note A view state MAC is an encrypted version the hidden variable that a page's view state is persisted to when sent to the browser. When you set this attribute to true, the encrypted view state is checked to verify that it has not been tampered with on the client..

OK........

Chetankumar Akarte replied to Naresh Kumar on 22-Jan-10 07:04 AM
Hi Naresh Kumar,

A view state MAC is an encoded version of the hidden variable that a page's view state is persisted to when sent to the browser. When you set the EnableViewStateMac attribute to true, the encoded and encrypted view state is checked to verify that it has not been tampered with on the client.

Set the EnableViewStateMac property to true when a high degree of data integrity is required between postbacks, or where there is a high risk of tampering. Setting EnableViewStateMac to 'false' (as described under section Server.Transfer) is not secure, for a secure solution please see,

http://support.microsoft.com/default.aspx?scid=kb;EN-US;316920

In most circumstances, do not set this property in code. Set the EnableViewStateMac attribute to true using the @ Page directive in the .aspx file. When the page is requested, the dynamically generated class sets the property.
cheers!!
Santhosh N replied to Naresh Kumar on 22-Jan-10 08:03 AM
end of post