Articles that talk about viewstate always say, it is less secure and not good for keeping secure information. Let us see how a viewstate value can be hacked.
Data kept in Viewstate is serialized using
LosFormater, a less known class used for serialization. LosFormatteris helpful to serialize simple types and it produces ASCII string representation of the object graph. The following code shows using LosFormatter. [Serializable]
class Customer
{
public Customer(int age,string name) {
this.Age = age;
this.Name = name;
}
public int Age { get; set; }
public string Name { get; set; }
}
string Serialize() {
// Creating customer object
Customer customer = new Customer(25,"Navaneeth");
// formatting
LosFormatter formatter = new LosFormatter();
using (StringWriter output = new StringWriter()) {
formatter.Serialize(output, customer);
return output.ToString();
}
}
The above code serializes the object graph and produces an ASCII string which can be transmitted over HTTP.
The following code shows decrypting viewstate values.
This gives you a clear explanation of why secured data should not be kept on viewstate.
No comments:
Post a Comment