How to detect ViewState is tamper or not programatically

最后都变了- 提交于 2020-02-02 22:57:52

问题


i search many site but not getting any solution that how programatically detect ViewState.

i got one suggestion from a site that they said EnableViewStateMac to true in the @Page directive and other settings like VaidationKey and ValidationAlgorithm has also to be defined. but they did not said how to do the settings like VaidationKey and ValidationAlgorithm. can anyone drive me in right direction. thanks


回答1:


The EnableViewStateMac property is true by default in ASP.NET. When it is true it prevents anyone from changing the viewstate (an exception will be thrown when ASP.NET detects a change).

What it doesn't prevent is replay and Cross-site request forgery attacks. A viewstate is by default not locked to a single user, which allows hackers to copy the view state and resend it in the context of another user. This is where the ViewStateUserKey comes in. You can set with the ID of a logged in user, which will prevent the ViewState from being reused in the context of another user.

You can read more about it here and there is a CodePlex project specially for preventing CSRF attacks. Don't roll your own, use that library!

UPDATE

Here is an example of how to use the ViewStateUserKey:

void Page_Init(object sender, EventArgs e)
{
    this.ViewStateUserKey = this.Session.SessionID;
}


来源:https://stackoverflow.com/questions/5728106/how-to-detect-viewstate-is-tamper-or-not-programatically

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!