Geek Answers Handbook

Is EnableViewStateMAC = true required for ViewStateEncryption on ASP.Net?

I am currently fixing some security issues in our ASP.net web application.

One of the problems was that the ViewState not encrypted.

So, I checked StackOverFlow and elsewhere on how to encrypt viewState, and I did this using <pages viewStateEncryptionMode="Always" /> and adding a 3DES machine key, like this <machineKey validation="3DES" /> on the Web .config.

I would like to know if "EnableViewStateMAC=true" is also required? as it was mentioned in some of the suggested solutions that I found on the Internet. But on my receipts, I found that encryption works even without it.

[NOTE. I had to make these changes at the application level (Web.config), as making individual page changes is not a practical solution for this application.]

+4
source share
4 answers

Never set EnableViewStateMac to false, even if encryption is enabled. The MAC ensures that the client cannot maliciously interfere with the contents of the ViewState. (Encryption alone is not enough to guarantee that a MAC is needed.)

The EnableViewStateMac property will be removed in a future version of the product, as there is no good reason to set it to false.

+17
source

Just in case:

Starting with ASP.NET 4.5.2, the runtime provides EnableViewStateMac = true

more details here: ASP.NET 4.5.2 and EnableViewStateMac

+3
source

You might want to note that since September 2014

All ASP.NET 1.1 - 4.5.2 Runtime Versions Now Disallow Installation

<% @Page EnableViewStateMac = "false"%>

and

<pages enableViewStateMac = "false" / ">

http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.aspx

+1
source

This will be a problem when you host multiple servers. Because machine keys are different.

IF your project is running on the same machine. EnableViewStateMAC = true is safe.

Using enableViewStateMac requires consecutive requests to be sent to the same server (for example, affinity for the server). This function is used to prevent unauthorized access to the page view state; however, it does this based on an automatically generated verification key on the current server. A message authentication code (MAC) is generated from this key and sent to ViewState back to the browser. The problem is that if POST feedback is performed and goes to another server, you will receive a message with a small message "Corrupt View State".

To fix this, you can either set enableViewStateMac to false, or specify the general value of the validationKey attribute in the element on all servers (in the farm).

By the way, the documentation says that it is disabled by default. This is not true! Go check out machine.config!

0
source

More articles:


All Articles