This is just a short reminder for myself – when configuring ASP.NET websites, don’t forget to Secure the viewstate. If you don’t, then the ViewState is just base64 encoded – and can be decoded.

Securing this involves:

• Setting a machine key in the web.config. In a load balanced environment, this machine key should be the same on all front-end servers; it’s used in encryption and decryption of the viewstate, and so has to be the same on all webservers. If it is not, and a user’s session skips to another server, then decryption of the viewstate will fail.
• Make sure the the validation algorithm is set to ‘AES’
• Make sure that the ‘decryption’ algorithm is set to auto.

That seems to be it. I did see instructions that said that I should:

• On the <pages> node, add the attribute viewStateEncryptionMode=”Always”

… but I didn’t seem to have to do this. Actually, in the end I did have to set this too.

Edit: How to generate your machineKey easily