SSL and __VIEWSTATE
-
Is it necessary to encrypt viewstate from web.config even when SSL is being used? Does it provide any additional benefit or does it just slow down the server without any additional benefit? Thanks, Sam
Viewstate is already encrypted as is, the option to mess with it's encryption is to utilize a stronger routine. I am not an absolute security expert but I know some things so i would suggest that anything you can keep on the server you keep there and just utilize the viewstate for holding the data of non-sensitive material. If you are accepting whether or not they like pizza, by all means use the viewstate, if you are taking an SSN, then you should probably grab that value and hold it in a session variable and replace it on the page with the bullets and dont even mean anything. Cleako
-
Is it necessary to encrypt viewstate from web.config even when SSL is being used? Does it provide any additional benefit or does it just slow down the server without any additional benefit? Thanks, Sam
ViewState is base64 encoding. SSL is encrypting the channel communications.
Vasudevan Deepak Kumar Personal Homepage Tech Gossips
-
Is it necessary to encrypt viewstate from web.config even when SSL is being used? Does it provide any additional benefit or does it just slow down the server without any additional benefit? Thanks, Sam
Keep in mind that viewstate also slows down the transmission time and increases the bandwidth usage because it makes your page larger. .NET holds the viewstate information in a hidden form field so the text for that data is sent on each page request. Because of this, the user could try to modify the viewstate and send it back - so keep sensitive data in the session or in some data store on the server.