Taking a Bite Out of ASP.NET ViewState

Susan Warren

Microsoft Corporation

November 27, 2001

When I meet and talk to new ASP.NET page developers, one of the first things they usually ask me is, "What is that ViewState thing, anyway?" And often you can hear in their voices that same queasy fascination I feel when a waiter in some exotic restaurant parks a plateful of some previously unknown food in front of me. Somebody must think it's good; otherwise, they wouldn't be serving it. So, I'll try it, and maybe even love it, but it sure looks odd!

It's that way with ViewState too. Once you get past how it looks, you'll find many circumstances where you'll be delighted to have ViewState in your ASP.NET application, because it lets you do much more with much less code. But there will also be times when you'll want to definitely leave ViewState on the plate. We'll look at both scenarios, but first, let's answer that question about what is ViewState.

Answer: ViewState Maintains the UI State of a Page

The Web is stateless, and so are ASP.NET Pages. They are instantiated, executed, rendered, and disposed on every round trip to the server. As a Web developer, you can add statefulness using well-known techniques like storing state on the server in Session state or by posting a page back to itself. Take the sign up form in Figure 1 as an example.

Figure 1. Restoring posted form values

You can see I've picked an invalid value for my potluck item. Like most forms on the Web, this one is friendly enough to put a helpful error message and a star next to the field in error. In addition, all of the valid values I entered in the other text boxes and drop-down lists still appear in the form. This is possible, in part, because HTML form elements post their current values from the browser to the server in the HTTP header. You can use ASP.NET tracing to see the form values that are posted back, as in Figure 2.

Figure 2. Values posted in HTTP Form, as shown by ASP.NET trace

Before ASP.NET, restoring the values back into the form fields across multiple postbacks was entirely the responsibility of the page developer, who had to pick them out, one-by-one, from the HTTP form, and push them back into the fields. Happily, ASP.NET does this trick automatically, thus eliminating both a lot of grunt work and a lot of code for forms. But that's not ViewState.

ViewState is the mechanism ASP.NET uses to keep track of server control state values that don't otherwise post back as part of the HTTP form. For example, the text shown by a Label control is saved in ViewState by default. As a developer, you can bind data or programmatically set the Label just once when the page first loads, and on subsequent postbacks, the label text will be repopulated automatically from ViewState. So in addition to less grunt work and less code, the benefit of ViewState is often fewer trips to the database.

How ViewState Works

There's really nothing magical about ViewState. It's a hidden form field managed by the ASP.NET page framework. When ASP.NET executes a page, the ViewState values from the page and all of the controls are collected and formatted into a single encoded string, and then assigned to the value attribute of the hidden form field (specifically, <input type=hidden>). Since the hidden form field is part of the page sent to the client, the ViewState value is temporarily stored in the client's browser. If the client chooses to post the page back to the server, the ViewState string is posted back too. You can actually see the ViewState form field and its postback value in Figure 2 above.

Upon postback, the ASP.NET page framework parses the ViewState string and populates the ViewState properties for the page and each of the controls. The controls, in turn, use the ViewState data to rehydrate themselves to their former state.

There are three more small, but useful things to know about ViewState.

You must have a server-side form tag (<form runat=server>) in your ASPX page if you want to use ViewState. A form field is required so the hidden field that contains the ViewState information can post back to the server. And, it must be a server-side form so the ASP.NET page framework can add the hidden field when the page is executed on the server.

The page itself saves 20 or so bytes of information into ViewState, which it uses to distribute PostBack data and ViewState values to the correct controls upon postback. So, even if ViewState is disabled for the page or application, you may see a few remaining bytes in ViewState.

In cases where the page does not post back, you can eliminate ViewState from a page by omitting the server side <form> tag.

Getting More from ViewState

ViewState is a marvelous way to track the state of a control across postbacks since it doesn't use server resources, doesn't time out, and works with any browser. If you are a control author, you'll definitely want to check out Maintaining State in a Control.

Page authors can also benefit from ViewState in much the same way. Occasionally your pages will contain UI state values that aren't stored by a control. You can track values in ViewState using a programming syntax is similar to that for Session and Cache:

[Visual Basic]' save in ViewState

ViewState("SortOrder") = "DESC"

' read from ViewState

Dim SortOrder As String = CStr(ViewState("SortOrder"))

[C#]// save in ViewState

ViewState["SortOrder"] = "DESC";

// read from ViewState

string sortOrder = (string)ViewState["SortOrder"];

Consider this example: you want to display a list of items in a Web page, and each user wants to sort the list differently. The list of items is static, so the pages can each bind to the same cached set of data, but the sort order is a small bit of user-specific UI state. ViewState is a great place to store this type of value. Here's the code:

[Visual Basic]<%@ Import Namespace="System.Data" %>

<HTML>

<HEAD>

<title>ViewState for Page UI State Values</title>

</HEAD>

<body>

<H3>

Storing Non-Control State in ViewState

</H3>

<P>

This example stores the current sort order for a static

list of data in ViewState.<br>

Click the link in the column header to sort the data by that field.<br>

Click the link a second time to reverse the sort direction.

<asp:datagrid id="DataGrid1" runat="server"

OnSortCommand="SortGrid" BorderStyle="None" BorderWidth="1px"

BorderColor="#CCCCCC" BackColor="White" CellPadding="5" AllowSorting="True">

<HeaderStyle Font-Bold="True" ForeColor="White"

BackColor="#006699">

</HeaderStyle>

</asp:datagrid>

</P>

</form>

</body>

</HTML>

' SortField property is tracked in ViewState

Property SortField() As String

Get

Dim o As Object = ViewState("SortField")

If o Is Nothing Then

Return String.Empty

End If

Return CStr(o)

End Get

Set(Value As String)

If Value = SortField Then

' same as current sort file, toggle sort direction

SortAscending = Not SortAscending

End If

ViewState("SortField") = Value

End Set

End Property

' SortAscending property is tracked in ViewState

Property SortAscending() As Boolean

Get

Dim o As Object = ViewState("SortAscending")

If o Is Nothing Then

Return True

End If

Return CBool(o)

End Get

Set(Value As Boolean)

ViewState("SortAscending") = Value

End Set

End Property

Private Sub Page_Load(sender As Object, e As EventArgs) Handles MyBase.Load

If Not Page.IsPostBack Then

BindGrid()

End If

End Sub

Sub BindGrid()

' Get data

Dim ds As New DataSet()

ds.ReadXml(Server.MapPath("TestData.xml"))

Dim dv As New DataView(ds.Tables(0))

' Apply sort filter and direction

dv.Sort = SortField

If Not SortAscending Then

dv.Sort += " DESC"

End If

' Bind grid

DataGrid1.DataSource = dv

DataGrid1.DataBind()

End Sub

Private Sub SortGrid(sender As Object, e As DataGridSortCommandEventArgs)

DataGrid1.CurrentPageIndex = 0

SortField = e.SortExpression

BindGrid()

End Sub

</script>

[C#]<%@ Page Language="C#" %>

<%@ Import Namespace="System.Data" %>

<HTML>

<HEAD>

<title>ViewState for Page UI State Values</title>

</HEAD>

<body>

<H3>

Storing Non-Control State in ViewState

</H3>

<P>

This example stores the current sort order for a static

list of data in ViewState.<br>

Click the link in the column header to sort the data by that field.<br>

Click the link a second time to reverse the sort direction.

<asp:datagrid id="DataGrid1" runat="server" OnSortCommand="SortGrid"

BorderStyle="None" BorderWidth="1px" BorderColor="#CCCCCC"

BackColor="White" CellPadding="5" AllowSorting="True">

</HeaderStyle>

</asp:datagrid>

</P>

</form>

</body>

</HTML>

// SortField property is tracked in ViewState

string SortField {

get {

object o = ViewState["SortField"];

if (o == null) {

return String.Empty;

}

return (string)o;

}

set {

if (value == SortField) {

// same as current sort file, toggle sort direction

SortAscending = !SortAscending;

}

ViewState["SortField"] = value;

}

// SortAscending property is tracked in ViewState

bool SortAscending {

get {

object o = ViewState["SortAscending"];

if (o == null) {

return true;

}

return (bool)o;

}

set {

ViewState["SortAscending"] = value;

}

void Page_Load(object sender, EventArgs e) {

if (!Page.IsPostBack) {

BindGrid();

}

void BindGrid() {

// get data

DataSet ds = new DataSet();

ds.ReadXml(Server.MapPath("TestData.xml"));

DataView dv = new DataView(ds.Tables[0]);

// Apply sort filter and direction

dv.Sort = SortField;

if (!SortAscending) {

dv.Sort += " DESC";

}

// Bind grid

DataGrid1.DataSource = dv;

DataGrid1.DataBind();

}

void SortGrid(object sender, DataGridSortCommandEventArgs e) {

DataGrid1.CurrentPageIndex = 0;

SortField = e.SortExpression;

BindGrid();

}

</script>

Here's the code for testdata.xml, referenced in both code sections above:

<?xml version="1.0" standalone="yes"?>

<Table>

<pub_id>0736</pub_id>

<pub_name>New Moon Books</pub_name>

<city>Boston</city>

</Table>

<Table>

<pub_id>0877</pub_id>

<pub_name>Binnet & Hardley</pub_name>

<city>Washington</city>

</Table>

<Table>

<pub_id>1389</pub_id>

<pub_name>Algodata Infosystems</pub_name>

<city>Berkeley</city>

</Table>

<Table>

<pub_id>1622</pub_id>

<pub_name>Five Lakes Publishing</pub_name>

<city>Chicago</city>

</Table>

<Table>

<pub_id>1756</pub_id>

<pub_name>Ramona Publishers</pub_name>

<city>Dallas</city>

</Table>

<Table>

<pub_id>9901</pub_id>

<pub_name>GGG&G</pub_name>

<city>München</city>

<country>Germany</country>

</Table>

<Table>

<pub_id>9952</pub_id>

<pub_name>Scootney Books</pub_name>

</Table>

<Table>

<pub_id>9999</pub_id>

<pub_name>Lucerne Publishing</pub_name>

<city>Paris</city>

<country>France</country>

</Table>

</NewDataSet>

Session State or ViewState?

There are certain cases where holding a state value in ViewState is not the best option. The most commonly used alternative is Session state, which is generally better suited for:

Large amounts of data. Since ViewState increases the size of both the page sent to the browser (the HTML payload) and the size of form posted back, it's a poor choice for storing large amounts of data.

Secure data that is not already displayed in the UI. While the ViewState data is encoded and may optionally be encrypted, your data is most secure if it is never sent to the client. So, Session state is a more secure option. (Storing the data in the database is even more secure due to the additional database credentials. You can add SSL for even better link security.) But if you've displayed the private data in the UI, presumably you're already comfortable with the security of the link itself. In this case, it is no less secure to put the same value into ViewState as well.

Objects not readily serialized into ViewState, for example, DataSet. The ViewState serializer is optimized for a small set of common object types, listed below. Other types that are serializable may be persisted in ViewState, but are slower and generate a very large ViewState footprint.

Session State

ViewState

Holds server resources?

Yes

Times out?

Yes – after 20 minutes (default)

Stores any .NET type?

Yes

No, limited support for: strings, integers, Booleans, arrays, ArrayList, hashtable, custom TypeConverters

Increases "HTML payload"?

Yes

Getting the Best Performance with ViewState

Each object must be serialized going into ViewState and then deserialized upon post back, so the performance cost of using ViewState is definitely not free. However, there's usually no significant performance impact if you follow some simple guidelines to keep your ViewState costs under control.

Disable ViewState when you don't need it. The next section, Getting Less from ViewState, covers this in detail.

Use the optimized ViewState serializers. The types listed above have special serializers that are very fast and optimized to produce a small ViewState footprint. When you want to serialize a type not listed above, you can greatly improve its performance by creating a custom TypeConverter for it.

Use the fewest number of objects, and if possible, reduce the number of objects you put into ViewState. For example, rather than a two-dimensional string array of names/values (which has as many objects as the length of the array), use two string arrays (only two objects). However, there is usually no performance benefit to convert between two known types before storing them in ViewState—then you're basically paying the conversion price twice.

Getting Less from ViewState

ViewState is enabled by default, and it's up to each control—not the page developer—to decide what gets stored in ViewState. Sometimes, this information is not useful to your application. While it's not harmful either, it can dramatically increase the size of the page sent to the browser. It's a good idea to turn off ViewState if you are not using it, especially where the ViewState size is significant.

You can turn off ViewState on a per-control, per-page, or even per-application basis. You don't need ViewState if:

Pages

Controls

The page doesn't post back to itself.

You aren't handling the control's events.

The control has no dynamic or data bound property values (or they are set in code on every request).

The DataGrid control is a particularly heavy user of ViewState. By default, all of the data displayed in the grid is also stored in ViewState, and that's a wonderful thing when an expensive operation (like a complex search) is required to fetch the data. However, this behavior also makes DataGrid the prime suspect for unnecessary ViewState.

For example, here's a simple page that meets the criteria above. ViewState is not needed because the page doesn't post back to itself.

Figure 3. Simple page LessViewState.aspx with DataGrid1

<%@ Import Namespace="System.Data" %>

<html>

<body>

<asp:DataGrid runat="server" />

</form>

</body>

</html>

Private Sub Page_Load(sender As Object, e As EventArgs)

Dim ds as New DataSet()

ds.ReadXml(Server.MapPath("TestData.xml"))

DataGrid1.DataSource = ds

DataGrid1.DataBind()

End Sub

</script>

With ViewState enabled, this little grid contributes over 3000 bytes to the HTML payload for the page! You can see this using ASP.NET Tracing, or by viewing the source of the page sent to the browser, as shown in the code below.

<HTML>

<HEAD>

<title>Reducing Page "HTML Payload"</title>

</HEAD>

<body>

<input type="hidden" name="__VIEWSTATE"

value="dDwxNTgzOTU2ODA7dDw7bDxpPDE+Oz47bDx0PDtsPGk8MT47PjtsPHQ8QDA8cDxw

PGw8UGFnZUNvdW50O18hSXRlbUNvdW50O18hRGF0YVNvdXJjZUl0ZW1Db3VudDtEYXRhS2V

5czs+O2w8aTwxPjtpPDg+O2k8OD47bDw+Oz4+Oz47Ozs7Ozs7OztAMDxAMDxwPGw8SGVhZG

VyVGV4dDtEYXRhRmllbGQ7U29ydEV4cHJlc3Npb247UmVhZE9ubHk7PjtsPHB1Yl9pZDtwd

WJfaWQ7cHViX2lkO288Zj47Pj47Ozs7PjtAMDxwPGw8SGVhZGVyVGV4dDtEYXRhRmllbGQ7

U29ydEV4cHJlc3Npb247UmVhZE9ubHk7PjtsPHB1Yl9uYW1lO3B1Yl9uYW1lO3B1Yl9uYW1

lO288Zj47Pj47Ozs7PjtAMDxwPGw8SGVhZGVyVGV4dDtEYXRhRmllbGQ7U29ydEV4cHJlc3

Npb247UmVhZE9ubHk7PjtsPGNpdHk7Y2l0eTtjaXR5O288Zj47Pj47Ozs7PjtAMDxwPGw8S

GVhZGVyVGV4dDtEYXRhRmllbGQ7U29ydEV4cHJlc3Npb247UmVhZE9ubHk7PjtsPHN0YXRl

O3N0YXRlO3N0YXRlO288Zj47Pj47Ozs7PjtAMDxwPGw8SGVhZGVyVGV4dDtEYXRhRmllbGQ

7U29ydEV4cHJlc3Npb247UmVhZE9ubHk7PjtsPGNvdW50cnk7Y291bnRyeTtjb3VudHJ5O2

88Zj47Pj47Ozs7Pjs+Oz47bDxpPDA+Oz47bDx0PDtsPGk8MT47aTwyPjtpPDM+O2k8ND47a

Tw1PjtpPDY+O2k8Nz47aTw4Pjs+O2w8dDw7bDxpPDA+O2k8MT47aTwyPjtpPDM+O2k8ND47

PjtsPHQ8cDxwPGw8VGV4dDs+O2w8MDczNjs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8TmV

3IE1vb24gQm9va3M7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPEJvc3Rvbjs+Pjs+Ozs+O3

Q8cDxwPGw8VGV4dDs+O2w8TUE7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPFVTQTs+Pjs+O

zs+Oz4+O3Q8O2w8aTwwPjtpPDE+O2k8Mj47aTwzPjtpPDQ+Oz47bDx0PHA8cDxsPFRleHQ7

PjtsPDA4Nzc7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPEJpbm5ldCAmIEhhcmRsZXk7Pj4

7Pjs7Pjt0PH_u56 ?cDxsPFRleHQ7PjtsPFdhc2hpbmd0b247Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPERDOz

4+Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxVU0E7Pj47Pjs7Pjs+Pjt0PDtsPGk8MD47aTwxP

jtpPDI+O2k8Mz47aTw0Pjs+O2w8dDxwPHA8bDxUZXh0Oz47bDwxMzg5Oz4+Oz47Oz47dDxw

PHA8bDxUZXh0Oz47bDxBbGdvZGF0YSBJbmZvc3lzdGVtczs+Pjs+Ozs+O3Q8cDxwPGw8VGV

4dDs+O2w8QmVya2VsZXk7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPENBOz4+Oz47Oz47dD

xwPHA8bDxUZXh0Oz47bDxVU0E7Pj47Pjs7Pjs+Pjt0PDtsPGk8MD47aTwxPjtpPDI+O2k8M

z47aTw0Pjs+O2w8dDxwPHA8bDxUZXh0Oz47bDwxNjIyOz4+Oz47Oz47dDxwPHA8bDxUZXh0

Oz47bDxGaXZlIExha2VzIFB1Ymxpc2hpbmc7Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPEN

oaWNhZ287Pj47Pjs7Pjt0PHA8cDxsPFRleHQ7PjtsPElMOz4+Oz47Oz47dDxwPHA8bDxUZX

h0Oz47bDxVU0E7Pj47Pjs7Pjs+Pjt0PDtsPGk8MD47aTwxPjtpPDI+O2k8Mz47aTw0Pjs+O

2w8dDxwPHA8bDxUZXh0Oz47bDwxNzU2Oz4+Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxSYW1v

bmEgUHVibGlzaGVyczs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8RGFsbGFzOz4+Oz47Oz4

7dDxwPHA8bDxUZXh0Oz47bDxUWDs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8VVNBOz4+Oz

47Oz47Pj47dDw7bDxpPDA+O2k8MT47aTwyPjtpPDM+O2k8ND47PjtsPHQ8cDxwPGw8VGV4d

Ds+O2w8OTkwMTs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8R0dHJkc7Pj47Pjs7Pjt0PHA8

cDxsPFRleHQ7PjtsPE3DvG5jaGVuOz4+Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDwmbmJzcFw

7Oz4+Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxHZXJtYW55Oz4+Oz47Oz47Pj47dDw7bDxpPD

A+O2k8MT47aTwyPjtpPDM+O2k8ND47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8OTk1Mjs+Pjs+O

zs+O3Q8cDxwPGw8VGV4dDs+O2w8U2Nvb3RuZXkgQm9va3M7Pj47Pjs7Pjt0PHA8cDxsPFRl

eHQ7PjtsPE5ldyBZb3JrOz4+Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxOWTs+Pjs+Ozs+O3Q

8cDxwPGw8VGV4dDs+O2w8VVNBOz4+Oz47Oz47Pj47dDw7bDxpPDA+O2k8MT47aTwyPjtpPD

M+O2k8ND47PjtsPHQ8cDxwPGw8VGV4dDs+O2w8OTk5OTs+Pjs+Ozs+O3Q8cDxwPGw8VGV4d

Ds+O2w8THVjZXJuZSBQdWJsaXNoaW5nOz4+Oz47Oz47dDxwPHA8bDxUZXh0Oz47bDxQYXJp

czs+Pjs+Ozs+O3Q8cDxwPGw8VGV4dDs+O2w8Jm5ic3BcOzs+Pjs+Ozs+O3Q8cDxwPGw8VGV

4dDs+O2w8RnJhbmNlOz4+Oz47Oz47Pj47Pj47Pj47Pj47Pj47Pg==" />

Yikes! By simply disabling ViewState for the grid, the payload size for the same page becomes dramatically smaller:

<HTML>

<HEAD>

<title>Reducing Page "HTML Payload"</title>

</HEAD>

<body>

Here's the complete LessViewState code in Visual Basic and C#:

[Visual Basic]<%@ Import Namespace="System.Data" %>

<html>

<HEAD>

<title>Reducing Page "HTML Payload"</title>

</HEAD>

<body>

<H3>

Reducing Page "HTML Payload" by Disabling ViewState

</H3>

<P>

<asp:datagrid id="DataGrid1" runat="server" EnableViewState="false"

BorderStyle="None" BorderWidth="1px" BorderColor="#CCCCCC"

BackColor="White" CellPadding="5">

</HeaderStyle>

</asp:datagrid>

</P>

</form>

</body>

</html><script runat="server">

Private Sub Page_Load(sender As Object, e As EventArgs)

Dim ds as New DataSet()

ds.ReadXml(Server.MapPath("TestData.xml"))

DataGrid1.DataSource = ds

DataGrid1.DataBind()

End Sub

</script>

[C#]<%@ Page Language="C#" %>

<%@ Import Namespace="System.Data" %>

<html>

<HEAD>

<title>Reducing Page "HTML Payload"</title>

</HEAD>

<body>

<H3>

Reducing Page "HTML Payload" by Disabling ViewState

</H3>

<P>

<asp:datagrid id="DataGrid1" runat="server" EnableViewState="false"

BorderStyle="None" BorderWidth="1px" BorderColor="#CCCCCC"

BackColor="White" CellPadding="5">

</HeaderStyle>

</asp:datagrid>

</P>

</form>

</body>

</html>

void Page_Load(object sender, EventArgs e) {

DataSet ds = new DataSet();

ds.ReadXml(Server.MapPath("TestData.xml"));

DataGrid1.DataSource = ds;

DataGrid1.DataBind();

}

</script>

Disabling ViewState

In the example above, I disabled ViewState for the grid by setting its EnableViewState property to false. ViewState can be disabled for a single control, for an entire page, or for an entire application, as follows:

Per control (on tag)

<asp:datagrid EnableViewState="false" ... />

Per page (in directive)

<%@ Page EnableViewState="False" ... %>

Per application (in web.config)

Making ViewState More Secure

Because it's not formatted as clear text, folks sometimes assume that ViewState is encrypted—it's not. Instead, ViewState is merely base64-encoded to ensure that values are not altered during a roundtrip, regardless of the response/request encoding used by the application.

There are two levels of ViewState security you may wish to add to your application:

Tamper-proofing

Encryption

It's important to note that ViewState security has a direct effect on the time required to process and render an ASP.NET page. In short, more secure is slower, so don't add security to ViewState if you don't need it.

Tamper-Proofing

A hashcode will not secure the actual data within the ViewState field, but it will greatly reduce the likelihood of someone tampering with ViewState to try to spoof your application, that is, posting back values that your application would normally prevent a user from inputting.

You can instruct ASP.NET to append a hashcode to the ViewState field by setting the EnableViewStateMAC attribute:

<%@Page EnableViewStateMAC=true %>

EnableViewStateMAC can be set at the page or application level. Upon postback, ASP.NET will generate a hashcode for the ViewState data and compare it to the hashcode store in the posted value. If they don't match, the ViewState data will be discarded and the controls will revert to their original settings.

By default, ASP.NET generates the ViewState hashcode using the SHA1 algorithm. Alternatively, you can select the MD5 algorithm by setting <machineKey> in the machine.config file as follows:

Encryption

You can use encryption to protect the actual data values within the ViewState field. First, you must set EnableViewStatMAC="true", as above. Then, set the machineKey validation type to 3DES. This instructs ASP.NET to encrypt the ViewState value using the Triple DES symmetric encryption algorithm.

ViewState Security on a Web Farm

By default, ASP.NET creates a random validation key and stores it in each server's Local Security Authority (LSA). In order to validate a ViewState field created on another server, the validationKey for both servers must be set to the same value. If you secure ViewState by any of the means listed above for an application running in a Web Farm configuration, you will need to provide a single, shared validation key for all of the servers.

The validation key is a string of 20 to 64 random, cryptographically-strong bytes, represented as 40 to 128 hexadecimal characters. Longer is more secure, so a 128-character key is recommended for machines that support it. For example:

<machineKey validation="SHA1" validationKey="

F3690E7A3143C185AB1089616A8B4D81FD55DD7A69EEAA3B32A6AE813ECEECD28DEA66A

23BEE42193729BD48595EBAFE2C2E765BE77E006330BC3B1392D7C73F" />

The System.Security.Cryptography namespace includes the RNGCryptoServiceProvider class that you can use to generate this string, as demonstrated in the following GenerateCryptoKey.aspx sample:

<%@ Page Language="c#" %>

<%@ Import Namespace="System.Security.Cryptography" %>

<HTML>

<body>

<H3>Generate Random Crypto Key</H3>

<P>

<asp:RadioButtonList id="RadioButtonList1"

runat="server" RepeatDirection="Horizontal">

<asp:ListItem Value="40">40-byte</asp:ListItem>

<asp:ListItem Value="128" Selected="True">128-byte</asp:ListItem>

</asp:RadioButtonList> 

<asp:Button id="Button1" runat="server" onclick="GenerateKey"

Text="Generate Key">

</asp:Button></P>

<P>

<asp:TextBox id="TextBox1" runat="server" TextMode="MultiLine"

Rows="10" Columns="70" BackColor="#EEEEEE" EnableViewState="False">

Copy and paste generated results</asp:TextBox></P>

</form>

</body>

</HTML>

void GenerateKey(object sender, System.EventArgs e)

{

int keylength = Int32.Parse(RadioButtonList1.SelectedItem.Value);

// Put user code to initialize the page here

byte[] buff = new Byte[keylength/2];

RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();

// The array is now filled with cryptographically strong random bytes

rng.GetBytes(buff);

StringBuilder sb = new StringBuilder(keylength);

int i;

for (i = 0; i < buff.Length; i++) {

sb.Append(String.Format("{0:X2}",buff[i]));

}

// paste to the textbox to the user can copy it out

TextBox1.Text = sb.ToString();

}

</script>

Summary

ASP.NET ViewState is a new kind of state service that developers can use to track UI state on a per-user basis. There's nothing magical about it. It simply takes an old Web programming trick—roundtripping state in a hidden form field—and bakes it right into the page-processing framework. But the result is pretty wonderful—a lot less code to write and maintain in your Web-based forms.

You won't always need it, but when you do, I think you'll find ViewState is a satisfying addition to the feast of new features ASP.NET offers to page developers.

Susan Warren is a program manager for ASP.NET on the .NET Framework team.