Viewstate thoughts
ASP.Net has had the ViewState around since it came around and it is a nice way of keeping around persistant variables across postbacks. It stores any object you may put in there as well as any control you have on that specific page. It is pretty useful, except when people misuse it or it just gets to darn big.
One of the biggest concerns about using viewstate would be storing secure data in it. If you view source on a page anyone can see the data. Yes it is "encrypted" in base-64 char array, but it is pretty easy to decrypt this and view it.
The reason I bring this up is there was an blog post from one of the Microsoft developers about how to identify pages with high viewstates. I was reading through it and she has a link to Fritz Onion's ViewState Decoder. So I downloaded it and was taking a peak around in my viewstate, and I never realized how easy it was to find things in there. See below for part of my decrypted viewstate. But as you can see the variable "ReportSelectedIndex" is something I have stored in viewstate and it was able to be exposed very easily. Now in this case it isn't sensative or anything, but it could have been.
So just a word to the wise and be careful of what you put in your viewstate, or at the very least encrypt what you put in there.
Labels: .NET
posted by Tom Becker at
9/09/2008
0 Comments:
Post a Comment
<< Home