If I disable ViewState via Page directive (EnableViewState="false"), am I taking a security risk by also disabling ViewStateMAC on the same page?
On a page with EnableViewState="false" directive, 1.3% of accesses result in a 500 error response with IIS logging "Viewstate verification failed. Reason: The viewstate supplied failed integrity check." IIS can also log that message and not throw a 500.
Disabling ViewStateMAC via Page directive seems to clear this up.
I like validation. If viewstate is supposed to be disabled, how much of the _VIEWSTATE value does ASP.NET parse? This is in .NET 2 (really 3.5)
TobinCataldo
Member
14 Points
8 Posts
ViewStateMAC considerations
Nov 01, 2012 08:24 PM|LINK
If I disable ViewState via Page directive (EnableViewState="false"), am I taking a security risk by also disabling ViewStateMAC on the same page?
On a page with EnableViewState="false" directive, 1.3% of accesses result in a 500 error response with IIS logging "Viewstate verification failed. Reason: The viewstate supplied failed integrity check." IIS can also log that message and not throw a 500. Disabling ViewStateMAC via Page directive seems to clear this up.
I like validation. If viewstate is supposed to be disabled, how much of the _VIEWSTATE value does ASP.NET parse? This is in .NET 2 (really 3.5)