问题
i search many site but not getting any solution that how programatically detect ViewState.
i got one suggestion from a site that they said EnableViewStateMac to true in the @Page directive and other settings like VaidationKey and ValidationAlgorithm has also to be defined. but they did not said how to do the settings like VaidationKey and ValidationAlgorithm. can anyone drive me in right direction. thanks
回答1:
The EnableViewStateMac property is true by default in ASP.NET. When it is true it prevents anyone from changing the viewstate (an exception will be thrown when ASP.NET detects a change).
What it doesn't prevent is replay and Cross-site request forgery attacks. A viewstate is by default not locked to a single user, which allows hackers to copy the view state and resend it in the context of another user. This is where the ViewStateUserKey comes in. You can set with the ID of a logged in user, which will prevent the ViewState from being reused in the context of another user.
You can read more about it here and there is a CodePlex project specially for preventing CSRF attacks. Don't roll your own, use that library!
UPDATE
Here is an example of how to use the ViewStateUserKey:
void Page_Init(object sender, EventArgs e)
{
this.ViewStateUserKey = this.Session.SessionID;
}
来源:https://stackoverflow.com/questions/5728106/how-to-detect-viewstate-is-tamper-or-not-programatically