Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

viewStateEncryptionMode="Always" not encrypting

Tags:

asp.net

encryption

cassini

iis-6

viewstate

Due to some security concerns i need to enable View State Encryption. I have viewstate & viewstateMAC turned off but i need to encrypt the "control state" string that is included in the __VIEWSTATE form parameter.

Currently my web.config looks like:

    <pages enableViewState="false" enableViewStateMac="false">

When i set the following, in cassini, my viewstate is encrypted: 

    <pages enableViewState="false" enableViewStateMac="false" viewStateEncryptionMode="Always">

When i make the same change on my IIS 6 server, nothing happens.

I see the app domain recycle(Event: Application '/LM/W3SVC/...' located in 'C:...' initialized for domain '...'). when i touch web.config but i do not get encrypted viewstate as with cassini. I have tried Site Stop/Start, IIS Reset Stop/Start, Clear ASP.NET Temporary file cache. Anyone have any suggestions on what needs to be done to configure this?

like image 889
felickz Avatar asked Jan 18 '23 21:01

felickz

1 Answers

I ran into a similar problem with this and it came down to the fact that if you pre-compile your site the web.config node for pages is ignored. You have to set those settings at compile to get it working. I know this is year late, but I figure if someone else comes here looking for solution to the problem this might be useful information.

A little blurb about this: http://blogs.msdn.com/b/asiatech/archive/2011/07/19/pages-settings-don-t-work-for-pre-compiled-asp-net-applications.aspx

  • (Link dead - blog pointed to this documentation: ASP.NET Web Site Project Precompilation Overview )

  • My customer had a viewstate MAC validation problem. As a workaround, he wanted to disable the viewstate MAC validation before find out the final solution. However, he was still seeing the problems after added follow settings in the configuration files.

    Customer’s application is a pre-compiled ASP.Net application with updatable option disabled. Looking at the code generated by compiler with above settings, we found these settings are hard coded. So, this means simply add the above setting into web.config doesn’t affect a pre-compiled application. To make this taking affect, the application has to be re-compiled.

    [DebuggerNonUserCode]

    private void __BuildControlTree(default_aspx __ctrl)

    {

    __ctrl.EnableViewStateMac = false;

__ctrl.EnableEventValidation = false;

    __ctrl.ViewStateEncryptionMode = ViewStateEncryptionMode.Never;

    This is a by-design behavior.

like image 158
HypnoticPancake Avatar answered Feb 15 '23 21:02

HypnoticPancake
Sign in to Comment

Related questions

what is the asp:textbox.MaxLength default value
adding a textbox server control from code behind?
sample/tutorial of using selenium 2.0 web driver in .net?
Multiple external JavaScript files using one script tag
SQL Server - How to select the most recent record per user?
Passing ASP.NET client IDs in to a javascript function
ASP.NET MVC 3 Unobtrusive Validation - Before Validate Event?
please suggest a hosted survey tool with an API [closed]
extending asp.net control in the website project
How to encode Unicode so both iPad and Excel can understand?
ASP.NET MVC 3 - Different Login Page for Authorize Attribute
RadComboBox adding an item to the top
gridview display the text instead of values
How to send multiple command arguments through command button ?(RowCommand Event)
Can you override Date.Now or Date.Today for debugging purposes in an ASP.NET web application?
how to get inbox folder instance?
Is there a directive to detect ASP.NET?
ELMAH works on local machine, but not on production [duplicate]
SOAP message with javax.xml.soap - namespace error?
RDLC Reports in mvc3 application

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!