This is just a short reminder for myself – when configuring ASP.NET websites, don’t forget to Secure the viewstate. If you don’t, then the ViewState is just base64 encoded – and can be decoded.
Securing this involves:
- Setting a machine key in the web.config. In a load balanced environment, this machine key should be the same on all front-end servers; it’s used in encryption and decryption of the viewstate, and so has to be the same on all webservers. If it is not, and a user’s session skips to another server, then decryption of the viewstate will fail.
- Make sure the the validation algorithm is set to ‘AES’
- Make sure that the ‘decryption’ algorithm is set to auto.
That seems to be it. I did see instructions that said that I should:
- On the <pages> node, add the attribute viewStateEncryptionMode=”Always”
but I didn’t seem to have to do this. Actually, in the end I did have to set this too.
Edit: How to generate your machineKey easily