Consider:
Content-Disposition: form-data; name="__VIEWSTATE"
/wEPDwUKMTQxNzIxMTc0MQ9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkflsROmXoLo8ar8ukWWYDh1Wr2BCwmhiAAqpX/xwqLq8=
Content-Disposition: form-data; name="__EVENTVALIDATION"
/wEWBgKJ1KD6AwKH3P+GBQLr/4HeAgKWoZqyCQLinqurDALt3oXMA0YLgb/Mt6KGihl+8ixYoY9A24wgHGGoPAINhuyP7nEl
We make a site where users can upload photos. Later we decided that users can also upload photos via other applications, and we like to have a uniform interface. So the other applications work with the same page.
We notice that we cannot upload photos unless we know the value of __EVENTVALIDATION and __VIEWSTATE.
Of course, the application can just load the uploading image, but that's kind of a hassle.
What are those for anyway? Is there a way to upload images to aspx upload web without specifying things?
ASP.NET 2.0 added a feature called event validation. Event validation checks the incoming values in a POST to ensure the values are known, good values.
Event Validation is a new feature in ASP.NET 2.0 which provides an additional level of checks on postback actions. It verifies whether a postback from a control on client-side is really from that control and not from a malicious person trying to break your application.
Usage of the ViewStateGenerator parameter When the __VIEWSTATEGENERATOR parameter is known, it can be used for the ASP.NET applications that use . NET Framework version 4.0 or below in order to sign a serialised object without knowing the application path.
HTTP is a stateless protocol which means the client and server have no built in way of tracking the state of the application from one request to the next. Various technologies have been invented to circumvent this such as cookies. ViewState and event validation are two techniques used by ASP.NET to give a state-full feel to a web page.
The data in ViewState is the state of all the controls (input fields, check boxes, etc.) when they were sent down to the client. When the form is posted back to the server, ASP.NET can tell if the user has changed any values in any of the fields and can raise events reflecting this (CheckedChanged
on a checkbox for example). Without ViewState, the server wouldn't be able to tell if any fields had changed.
Event Validation ensures that events raised on the client originate from the controls rendered by ASP.NET.
Here is a paper on ViewState and another that covers event validation.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With