What is the purpose of __EVENTVALIDATION __VIEWSTATE in aspx?

Question

Consider:

Content-Disposition: form-data; name="__VIEWSTATE"

/wEPDwUKMTQxNzIxMTc0MQ9kFgICAw8WAh4HZW5jdHlwZQUTbXVsdGlwYXJ0L2Zvcm0tZGF0YWRkflsROmXoLo8ar8ukWWYDh1Wr2BCwmhiAAqpX/xwqLq8=

Content-Disposition: form-data; name="__EVENTVALIDATION"

/wEWBgKJ1KD6AwKH3P+GBQLr/4HeAgKWoZqyCQLinqurDALt3oXMA0YLgb/Mt6KGihl+8ixYoY9A24wgHGGoPAINhuyP7nEl

We make a site where users can upload photos. Later we decided that users can also upload photos via other applications, and we like to have a uniform interface. So the other applications work with the same page.

We notice that we cannot upload photos unless we know the value of __EVENTVALIDATION and __VIEWSTATE.

Of course, the application can just load the uploading image, but that's kind of a hassle.

What are those for anyway? Is there a way to upload images to aspx upload web without specifying things?

Answer 1

HTTP is a stateless protocol which means the client and server have no built in way of tracking the state of the application from one request to the next. Various technologies have been invented to circumvent this such as cookies. ViewState and event validation are two techniques used by ASP.NET to give a state-full feel to a web page.

The data in ViewState is the state of all the controls (input fields, check boxes, etc.) when they were sent down to the client. When the form is posted back to the server, ASP.NET can tell if the user has changed any values in any of the fields and can raise events reflecting this (CheckedChanged on a checkbox for example). Without ViewState, the server wouldn't be able to tell if any fields had changed.

Event Validation ensures that events raised on the client originate from the controls rendered by ASP.NET.

Here is a paper on ViewState and another that covers event validation.