Académique Documents
Professionnel Documents
Culture Documents
State
Sea ch
Home
Blog
Articles
Projects
Tools
Podcasts
About
ASP.NET view state is a great feature and an essential tool for web development of toda . It maintains the state of a page as it travels back and forth. There is no more need to worr about restoring values of page controls between postbacks. In this article ou will get an in-depth perspective on view state. We will talk about wa s of reducing unnecessar pa load and protecting view state from pr ing e es. Among IT professionals it has become popular to debunk, dissect, expose, and unleash things. In this article we will first debunk view state, and then dissect it. No, first unleash then debunk. I think.
string. I emphasize e c ded because some folks assume view state is encrypted. Base64 is not an encryption algorithm. Base64 makes a string suitable for HTTP transfer plus it makes it a little hard to read. Just a little. It's easy to decode this string and see what's inside. Can this be a security issue? It sure can. We'll address your concern in due time. Stick around.
aspnetresources.com/articles/Vie State
1/19
11/22/11
State
even L t r l o t o it has a property called E a l V e S a e When a page is built every control ieaCnrl nbei tt. that has this property enabled contributes to the view state by seriali ing its contents (in this case: converting its contents into a string). Now, some controls are easy to serialize, while others might give us grief. What manages the view state is the StateBag class . This class is like a dictionary you may store key/value pairs in it. This is how you store a piece of useful data in the view state: VeSae[SrOdr]="mi" i tt "otre" eal When the page posts back its view state is taken apart (decoded) on the server and each control participating in the view state gets its value restored. There's an interesting gotcha you need to be aware of. Some controls get their values restored automatically (courtesy of ASP.NET) and you don't need to maintain their values! I put together two almost identical pages one is an ASP.NET web form, and the other one is plain HTML. The ASP.NET page has its view state turned off completely. See how it maintains text and selections once you click Submit. Scroll down to "Form Collection" to see what was posted. ASP.NET restored these values automatically!
The second page is old, "traditional", HTML. Click Submit to receive proof that control values won't be restored. What's the moral of this story? You don't always need view state enabled to maintain page state. "When d I need it though? What's it for then?" Glad you asked. The prime candidates for participation in view state are those controls that don't post back with the HTTP form a d controls added or populated dynamically. Let me give you an example. Suppose you have an empty dropdown list which you populate with user names from the database. When the page runs for the first time (! a e I P s b c . Rings a Pg.sotak bell?) you need to databind it and fill it with user names. What happens once the page loads? Without view state the dropdown list will be empty. As you enable view state the dropdown list content will be restored on postback. Or... you would have to populate the list from the database every time the page posts back! If you weigh database access vs. view state the scale tips in favor of view state (unless the list of users is so huge that you'd rather ping the database each time instead of dragging around a giant view state string).
View State
No
minutes (default)
No No, limited support for: strings, integers, Booleans, arrays, ArrayList, hashtable, custom TypeC onverters
Yes
aspnetresources.com/articles/Vie State
2/19
11/22/11
Increases "HTML payload"? No
State
As you see some objects are a perfect fit for view state, while others had better be stored in the session. If you still need to store an object in the view state think about creating a T p C n e t r eovre for it to improve performance.
You may also disable view state on an entire page by modifying the Page directive: <@Pg ..EalVeSae"as"% % ae . nbeiwtt=fle > If you really wish you may also disable view state on the whole web application by adding the following line to your w b c n i : e.ofg <ae ealVeSae"as"/ pgs nbeiwtt=fle >
Si e Matters
Spammers know better. By trimming the view state where you can live without it you do yourself and others a favor by reducing payload and improving page performance. Just recently we were cleaning up dead view state in our main product at work. I was shocked how much lighter most pages have become. A couple of pages that didn't post back had large databound controls. B disabling view state on one of them the si e of the view state went from 28K to 20 b tes! Quoting a 1400% reduction would be ridiculous but you get the point. The whole exercise proved to be well worth it. You need to thoroughly understand what each page does before you trim its view state.
aspnetresources.com/articles/Vie State
engineered, it can as well be reverse engineered. Not that all "security consultants" out there
3/19
11/22/11
State
e gi ee ed, i ca a e be e e e e gi ee ed. N ha a " ec i c c ... S i , Mic f f i hei i fi i e i d ga e ec a e i a e - e i a . A d ea e e e ha P I i h he ad i gi The g d hi g i e e .N ca a A ea ia ie i e a e. Y ha he " ha ed ec e " i c ie ha e ii e i f ca ha ic ie bac ed a i .
a " he e ie a e a ea ff he e e ca e. i g g ha d .
he e e a a f i ea i he
B defa ASP.NET b i d a -ca ed Me age A hen ica ion Code (MAC) a d a e d i a e. Whe he age bac ASP.NET eca c a e he ha h a d c a e i he a i ed i h he ie a e i g. If he a e diffe e i e e dc a e . If i m c i e c n i agai ahn.ofg ' ice ha MAC a ida i i b defa : <ae ..ealVeSaea=tu"/ pgs . nbeiwttMc"re > I i g e e a ida i d be a id a T h a ec e ded ha ee MAC a ida i e ab ed a a i e . I fi g a ac , i.e. he a a ac e feed a e ha a d e ' e ih e-c ic a ac , h gh, beca e he ie d he age i e ec e de he ec i c e f he e . e-c ic a ac ef e ID, f a i ca e a he i e ech i
he ie e ha ee
' a a e
e . Thi i a ea
e. I ASP.NET 1.1 he P g ae e i e a e
ca ha a e (a he ica ed N a e: Thi i ac i .
e , Vie S a eU e Ke e a e). e if e b e a
. Se i i Page_I i
a dd
'
a ici a e i
ii e
B defa
ASP.NET c ea e MAC
i g he SHA1 ha hi g a g
ih :
<ahnK ..vldto=SA"> mciee . aiain"H1/ If i h a i c i e MD5 i ead. SHA1 p od ce a la ge ha h han MD5 and i he efo e con ide ed mo e ec e. Kee i i d, h gh, ha he ie a e i g ca i be ba e64-dec ded a d ie ed he c ie .
d ha e he e
<ae ealVeSae"re ealVeSaea=tu"/ pgs nbeiwtt=tu" nbeiwttMc"re > <ahnK ..vldto=3E"/ mciee . aiain"DS > Si e a ha . He e' ha ha e behi d he c e : ASP.NET c ea e a a d a d e i i each e e ' L ca Sec i A h i (LSA). The ef e i bec e i ib e dec he ie a e i g i ce he " ha ed ec e " i ed ASP.NET e he e f LSA e c a d dec he ie a e. e c i a he e i e . e
e he
aspnetresources.com/articles/Vie State
4/19
11/22/11
<ahnKy mciee vldtoKy"au,Ioaeps" aiaine=vle[sltAp] dcytoKy"au,Ioaeps" erpine=vle[sltAp] vldto=SA M53E"/ aiain"H1 D DS > Let's take a closer look at m c i e e attributes: ahnKy
State
1. v l d t o K yspecifies the key for validation of the view state. ASP.NET will use this key aiaine when calculating MACs. The key must be 20 to 64 bytes (40 to 128 hexadecimal characters). The recommended key length is 64 bytes. This key should be generated in a random manner. If you tag I o a e p sto the end of the key value ASP.NET will generate a unique key for sltAp each application using the application's ID. 2. d c y t o K yspecifies the key used to encrypt and decrypt the view state when erpine v l d t o = 3 E " They key must be 8 for DES encryption or 24 bytes for 3DES (16 or 48 aiain"DS. hexadecimal characters respectively). The recommended key length is 48 bytes. This key should be generated in a random manner. If you tag I o a e p sto the end of the key value sltAp ASP.NET will generate a unique key for each application using the application's ID. 3. v l d t o sets the type of encryption. When set to SHA1 or MD5 it instructs ASP.NET to use aiain either SHA1 or MD5 algorithm to create view state MACs. When set to 3DES instructs ASP.NET to encrypt the view state (also provides integrity checking) with the help of the Triple-DES symmetric encryption algorithm. For your convenience I've put together an online machineKey Generator complete m c i e e that you can paste in your w b c n i . ahnKy e.ofg If you still have doubts that view state can be very secure read on the database. . The tool creates a
Good enough. L s r m t e lists two methods we're after: oFoatr pbi vi SraieSra,ojc) ulc od eilz(tem bet; pbi vi SraieTxWie,ojc) ulc od eilz(etrtr bet; and pbi ojc DsraieSra) ulc bet eeilz(tem; pbi ojc Dsraiesrn) ulc bet eeilz(tig; pbi ojc DsraieTxRae) ulc bet eeilz(etedr; The S r a i emethod is the one that converts an instance of S a e a (second parameter) and eilz ttBg writes it into a S r a or T x W i e . The D s r a i emethod performs the opposite task. It builds tem etrtr eeilz
aspnetresources.com/articles/Vie State
5/19
11/22/11
State
an instance of S a e a from a base64 encoded string, a stream or a T x R a e . ttBg etedr Some code is in order to illustrate the mechanics of view state persistence: poetdoerd rtce vrie SvPgSaeoessecMdu (betVeSae aeaettTPritneeim ojc iwtt) { SrnBidrs =nwSrnBidr(; tigule b e tigule ) SrnWie sr=nwSrnWie (b; tigrtr w e tigrtr s) Lsomte fratr=nwLsomte (; oFratr omte e oFratr ) fratrSraie(w,veSae; omte.eilz sr iwtt) srCoe(; w.ls ) / Soetetxulrpeetto o VeSaei te / tr h eta ersnain f iwtt n h / dtbs o eswee / aaae r lehr / Tesraie ve saei aalbevas.otig( / h eilzd iw tt s vial i bTSrn )
poetdoerd ojc LaPgSaermessecMdu( rtce vrie bet odaettFoPritneeim) { ojc ojiwtt; bet bVeSae srn sriwtt; tig tVeSae / Vesaesol b ra fo tedtbs o / iwtt hud e ed rm h aaae r / esweeit sriwtt / lehr no tVeSae Lsomte fratr=nwLsomte (; oFratr omte e oFratr ) ty r { ojiwtt =fratrDsraie(tVeSae; bVeSae omte.eeilz sriwtt) cth ac { trwnwHtEcpin(Ivldvesae) ho e tpxeto "nai iwtt"; rtr ojiwtt; eun bVeSae
Here's the gist of the problem. Suppose you have a web page. The first page has a MAC appended to its view state (which is done by default, remember?). Now, what if you need to call S r e . r n f rand you want to preserve its Q e y t i gand the Form collection? You may do so evrTase urSrn by calling an overloaded S r e . r n f rand passing true as its second parameter. evrTase Next, when this second page is invoked it receives the view state of the calling web form in its _ V E S A Ehidden field. The view state authentication check will fail since the newly arrived view _IWTT state is invalid on the second page. The KB article makes its point clear view state is page scoped and is valid for that page only. View state should not be transferred across pages.
Summar
View state is of tremendous value for web developers. It abstracts you from the dirty work of persisting and restoring control values between page postbacks. However its ease of use has a price tag on it and you need to clearly understand when you do need to maintain view state at the
aspnetresources.com/articles/Vie State
expense of serving larger pages, and when you don' at the expense of inability to facilitate
6/19
11/22/11
e pen e of e ing la ge page , and hen o d namic da a. Decide j dicio l ha o a icle a gh o ho o ec e he ie of eb fo m and pe i i on he e e .
State
o facili a e
o e in he ie a e o a oid inc ing o e head. Thi a e f om ampe ing. Yo al o lea ned ho o ake i o
90 commen
John Sp lin
and on Ma 22, 2004 I' e been ea ching fo eek fo a doc men like hi . ell done. hank !
Robe Pegg on J ne 09, 2004 Thank ! I ha e been o king in a fa m en i onmen and la el ha e n in o ome ie a e
i e . Al ho gh I nde ood ie a e (o ho gh I did), I needed a l le mo e dep h in an ea o ead and comp ehend fo ma . I app ecia e o aking he ime o i e hi do n.
Milan Nego an on Sep embe 30, 2004 I don' hink he e' a limi a ion.
La
on Jan a Be
a icle I ha e e e
aspnetresources.com/articles/Vie State
7/19
11/22/11
Le Ja H i e i e e a 25, 2005 ide a e if he e age' i e b ie a e e .
State
he
ee i g i
e if he
age i acce
e , he e
ID
he a e. Y Whe he a c
eed hi hi f ic cc a a a
age a he e ac i de e d h ,I d '
a e i ec d a ic ha ab i.I ' a
d c ea e a c age i , i.e. h ib e, e
f ic . ch i ea i ic
ie a e cha ge . Pe ce a i .
I' e
f i . I ' a e ce e a ic e, e achi e e ge e a ha a ed
ab ie . Tha !
a e, a d
d i he f , M
ba a Ma ch 17, 2005 I e he f .
Thi i .....
he e ce e
a ic e. I ha e e e
ee
hi
ch g
d a ic e
ie
a e... Kee
I ha e ead a b he f ef ec ha e a c ec i a
i h he a e .I e ie . I
c ea ed b R ede . I ha e c ea e a e c i h i c ec i . he he i e ihi c a e i ed f he fi i e .b i i h i g he c ec i c af e a 4(
ge i g he f e a e ,b ec i ).
ge i g he I added i he
aspnetresources.com/articles/Vie State
8/19
11/22/11
). B C . I . R S , I .
State
.Y .T
S M H T , .I V S .[ .I ] 06, 2005
B M T . 26, 2005 V S S I !K
M A D
MB
.I
B S I
W 12, 2005 I ( S ), P C , B S ?I ? , I P B , I
, V S
aspnetresources.com/articles/Vie State
9/19
11/22/11
Thank ,
State
Milan Nego an on Sep embe 12, 2005 B an, o can' change ie a e f om clien - ide c ip . Yo can go ahead and elec /de elec checkbo e f om j e en if o di able ie a e on hem. ASP.NET e o e hei a e an a .
ill
JfK on Oc obe 13, 2005 Can I Ge Rid Of Vie S a e Comple el ? Yo aid NO, I a YES: ha o ha e o do i :
1. n off Vie S a e in no mal 2. O e ide o f nc ion in cla and LoadPageS a eF omPe n ll.
a (machine.config, eb.config, @ di ec i e, ha e e ) inhe i ing f om Page: Sa ePageS a eToPe i enceMedi m one ha hing o be emp , econd one e n
i enceMedi m. Fi
hich o gh
Milan Nego an on Oc obe 13, 2005 I o ldn' go ha fa beca e he page "check m" i he e fo a ea on.
JfK on Oc obe 27, 2005 Hmm, ok, b ha i he ea on fo hi 'check m' hen o don' e ie a e an a ?I
mean ha hen o ' e ned off ie a e fo o app o machine h ho ldn' o ge id off hi li le ie a e c ap ha i lef behind? If I ha e ome ime I'll di e in o F ame o k in hope of e plo ing ha i hi 'check Ge Ha hCode of he page, b I'm no m' ea on (I pe e abo i ) onall hink ha i i o p of
a icle on ie
ic a icle! One of he be
E ik on Ma ch 06, 2006 Milan, o aid 'I o ldn' go ha fa beca ha e he page "check kno m" i he e fo a ea on.'. I ha i he e 'fo
he e
he ea on e acl i .. do o
mo e han j
Milan Nego an on Ma ch 06, 2006 I'm no 100% e ho he ba e-bone check m i b il , b he e' eall no a of ge ing
id of i comple el .
aspnetresources.com/articles/Vie State
10/19
11/22/11
State
K A R . 25, 2006 .T M N
B M I .T
I O I I
,B
V J T . 06, 2006 I V S .T
A J T A
J H G8 A M !!! !!!
23, 2006
....
J T D
26, 2006 E .
aspnetresources.com/articles/Vie State
11/19
11/22/11
State
e HTTP? Whe
B ia Se Be
a ic e I' e e e ha e ha
G ea Sad e
da dea i g ' e ea
a Web Fa
a i g he i e
e di Oc g ea a ic e. b i ha e a d d af e a e a e c i . he i e ied f be 11, 2006 ha e e i ... i ed f e b e , chec b e , i b e , a d he a e f each fie d i h e e .f ("..."), b ig e he c ie a e . ,i bac he ead ih he age/c .a ad , i ' gge i ? f he a e i cha ged af e cce
ha i c bac , i ge c bac c ea ie
a d , eb i d bac . i' e
a da e de
a e af e
R.Na e h Oc Tha i e ha Ve be 13, 2006 M ch, hi ha bec ce Agai e Be a e ia i Vie S a e ic. U ade hi e
a ic e I ha e e e
G idVie . O
a fi e a d di I e ec a diffe e
a i i a G idVie , ad, a
a e Fie d
chec ed/ chec ed a he e e f he fi fi e. I d ' a he be i e hi . I a he g hei i i ia a e . I ied b h e ab e/di ab e Vie S a e f he chec b f af e A he G idVie he fi ecia e a a df iece he age. N Id hi g cha ge . The chec b g? O a be hi i e e ai he a e f e a a . fi e- ad. Wha d f ad i e. Vie S a e i
J h N Li e e e
aspnetresources.com/articles/Vie State
12/19
11/22/11
L ,I V A I'
State
R N T 30, 2006 V S .V !T .
V M J W D
R V
M W ' .A
W M
W 29, 2007 . .
A V T
N J T 28, 2007 .T .E .
aspnetresources.com/articles/Vie State
13/19
11/22/11
J A J S B S . D L F S P .S S ' T P M B , I .Y 07, 2007 , I'
State
F ,
.S S B
S ?
'
'
J A T S [" S S L .S .C F I I' S P S T P M .S F ( (); , S S P B S , ' S B . T P L F M , , S B , I' ' .S . B W = , ); B "] = " = "; = = L S S F B W (); ( (); ); 10, 2007 : S B ();
aspnetresources.com/articles/Vie State
14/19
11/22/11
E S P S T P M
State
22, 2007 .
I . .I
houhuanjia D T ASP.NET S ASP.NET ============================ --T ASP.NET H D ID V S ? .S ! . -"F C 18, 2007 .S " .
J J F
S 02, 2008 ,M .I I .T !
aspnetresources.com/articles/Vie State
15/19
11/22/11
T . T . I .N
State
'
...
S J J , " P
aspnetresources.com/articles/Vie State
16/19
11/22/11
State
J A .I
aspnetresources.com/articles/Vie State
17/19
11/22/11
.I .S I .W ISA
State
),
.A
A T J !
T M Y ' C S
aspnetresources.com/articles/Vie State
Anil Redd
18/19
11/22/11
Anil Redd on April 12, 2010
State
Thanks for posting such an awesome article. Pointed out all the aspects abt View state. U rock...Keep up the good work.
C opyright 2004
aspnetresources.com/articles/Vie State
19/19