This is quite a common topic, so this blogpost is more for my reference than anything else. I am sure many of my smart readers will have plenty to add to this discussion.
There are two ways of securing your ViewState –
a) Hash Code – this can be done by the following directive <%@ Page EnableViewStateMAC=”true” %>. Basically what this does is, it calculates a cryptographically strong checksum based on the current viewstate, When the page is posted back, it recalculates that checksum, and if they don’t match, the server knows that someone’s acting funny here, thats when it throws a HaXorF0und3xc3pti0n (Okay I’m just kidding here). Interestingly, Hashcodes are enabled by default, but many times you may need to turn it off so it works on Webfarms (because hey viewstate depends on the server key, and each server may have a different key). Thats’ a bad idea mm’kay !! Instead of disabling hashing, it is a much better idea on a webfarm scenario to configure your servers with the same key.
b) Encryption – Okay hash codes are simply “checking if the viewstate was changed”. It still doesn’t protect your data from being read at the client end (or haXXor end). To truly protect your data from prying eyes, you need to implement Encryption. Thats hella easy to turn on,
1. You can turn it on at the page level – <%@ Page ViewStateEncryptionMode=”Always” %> – What this’ll do is, it encrypts the whole darned thing, which means way too much overhead.
2. You can turn it on in the config file <pages viewStateEncryptionMode=”Always”> – which is even more overhead, cuz now it’s doin’ it for the full site.
3. Or you can do it at per control level by calling RegisterRequiresViewStateEncryption() method on the Page object. Do note that the page or config settings still override, thus if the page says “encryption – never”, and the control says “please encrypt my viewstate” – guess what – the viewstate ain’t encrypted no more !! (Oops) LOL .
Again just like hash codes, encryption uses the server-specific key defined in the machineKey section of your machine.config file. It is advisable that on a webfarm, you should set that key to a 3DES standard (largest possible key, I think it’s 128 for encryption and 48 for decryption) – and you should use the same programatically random generated key on ALL webfarm servers (webheads).