Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the purpose of __EVENTVALIDATION __VIEWSTATE in aspx?

Tags:

asp.net

Consider:

Content-Disposition: form-data; name="__VIEWSTATE"

/wEPDwUKMTQxNzIxMTc0MQ9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkflsROmXoLo8ar8ukWWYDh1Wr2BCwmhiAAqpX/xwqLq8=

Content-Disposition: form-data; name="__EVENTVALIDATION"

/wEWBgKJ1KD6AwKH3P+GBQLr/4HeAgKWoZqyCQLinqurDALt3oXMA0YLgb/Mt6KGihl+8ixYoY9A24wgHGGoPAINhuyP7nEl

We make a site where users can upload photos. Later we decided that users can also upload photos via other applications, and we like to have a uniform interface. So the other applications work with the same page.

We notice that we cannot upload photos unless we know the value of __EVENTVALIDATION and __VIEWSTATE.

Of course, the application can just load the uploading image, but that's kind of a hassle.

What are those for anyway? Is there a way to upload images to aspx upload web without specifying things?

like image 696
user4951 Avatar asked Jan 28 '13 08:01

user4951


People also ask

What is __ Eventvalidation?

ASP.NET 2.0 added a feature called event validation. Event validation checks the incoming values in a POST to ensure the values are known, good values.

What is event validation?

Event Validation is a new feature in ASP.NET 2.0 which provides an additional level of checks on postback actions. It verifies whether a postback from a control on client-side is really from that control and not from a malicious person trying to break your application.

What is __ ViewStateGenerator asp net?

Usage of the ViewStateGenerator parameter When the __VIEWSTATEGENERATOR parameter is known, it can be used for the ASP.NET applications that use . NET Framework version 4.0 or below in order to sign a serialised object without knowing the application path.


1 Answers

HTTP is a stateless protocol which means the client and server have no built in way of tracking the state of the application from one request to the next. Various technologies have been invented to circumvent this such as cookies. ViewState and event validation are two techniques used by ASP.NET to give a state-full feel to a web page.

The data in ViewState is the state of all the controls (input fields, check boxes, etc.) when they were sent down to the client. When the form is posted back to the server, ASP.NET can tell if the user has changed any values in any of the fields and can raise events reflecting this (CheckedChanged on a checkbox for example). Without ViewState, the server wouldn't be able to tell if any fields had changed.

Event Validation ensures that events raised on the client originate from the controls rendered by ASP.NET.

Here is a paper on ViewState and another that covers event validation.

like image 191
Greg B Avatar answered Nov 16 '22 02:11

Greg B