Encrypting your ViewState

This one puzzled me a bit – but I wanted to encrypt my viewstate in Sitecore. I set my machine key, and set my algorithms – but it didn’t seem to do anything.

Well, the <pages> node has a viewStateEncryptionMode setting.

<pages validateRequest="true" viewStateEncryptionMode="Always">

Turn that on, and all seems good.

Encrypting your ViewState

Secure your ASP.NET Viewstate

This is just a short reminder for myself – when configuring ASP.NET websites, don’t forget to Secure the viewstate. If you don’t, then the ViewState is just base64 encoded – and can be decoded.

Securing this involves:

  • Setting a machine key in the web.config. In a load balanced environment, this machine key should be the same on all front-end servers; it’s used in encryption and decryption of the viewstate, and so has to be the same on all webservers. If it is not, and a user’s session skips to another server, then decryption of the viewstate will fail.
  • Make sure the the validation algorithm is set to ‘AES’
  • Make sure that the ‘decryption’ algorithm is set to auto.

That seems to be it. I did see instructions that said that I should:

  • On the <pages> node, add the attribute viewStateEncryptionMode=”Always”

but I didn’t seem to have to do this. Actually, in the end I did have to set this too.

Edit: How to generate your machineKey easily





Secure your ASP.NET Viewstate