I'm currently fixing some Security issues in our ASP.net website application.
One of the issue was that the ViewState
was not encrypted.
So I did check on StackOverFlow and elsewhere on how to encrypt the viewState, and I did it using the <pages viewStateEncryptionMode="Always" />
and adding a 3DES machinekey like this <machineKey validation="3DES" />
in Web.config .
I would like to know if the "EnableViewStateMAC=true"
is also compulsorily necessary? since this was mentioned in some of the suggested solutions I had found online.
But, on my checks I found the encryption is working even without this.
[NOTE: I had to do these changes at an application level (Web.config) since making individual page changes is not a practical solution for this application.]
Just in case:
more details here: ASP.NET 4.5.2 and EnableViewStateMac
It 'll be problem When You host multi server. Because Machine Keys are different.
IF your project runs on single machine. EnableViewStateMAC=true is safely.
Using enableViewStateMac requires that successive requests be forwarded to the same server (i.e. server affinity). This feature is used to help prevent tampering of a page's view state; however, it does so based on an auto-generated validation key on the current server. From this key, a message authentication code (MAC) is generated and sent in the ViewState back to the browser. The problem is that if a POST back is performed and goes to a different server, you will get a nice little error message saying “Corrupt View State“.
To fix this, you can either set enableViewStateMac to false in the element or specify a common value for the validationKey attribute in the element across all servers (in the farm).
By the way, documentation says that this is OFF by default. That is incorrect! Go check machine.config!
Do not ever set EnableViewStateMac to false, even if encryption is enabled. The MAC guarantees that the client cannot maliciously tamper with the contents of ViewState. (Encryption by itself isn't sufficient to guarantee this; the MAC is necessary.)
The EnableViewStateMac property will be removed in a future version of the product since there is no valid reason to set it to 'false'.
You might want to note that as of September 2014
All versions of the ASP.NET runtime 1.1 - 4.5.2 now forbid setting
and
http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.aspx