Chapter 5. Controlling Information

Once your application has accepted data from the user (even if it is only a request to display a page), your application must generate output. You have already seen how to validate input, and how to sanitize it for output. However, there are unexpected ways that sensitive information about your application can be leaked.

In this chapter, you will learn about the following:

  • How information can be leaked with ViewState

  • How to secure and encrypt ViewState

  • Strategies and approaches for error logging

  • Strategies and approaches for securing sessions

  • Other ways information can become exposed


One of the defining features of ASP.NET Web forms is the event model, which turns actions (such as clicking a button, or changing the selected item in a list) into server-side events, an approach that matches Windows Forms programming. To support this model, Microsoft introduced ViewState, a mechanism whereby pages maintain their state over multiple client requests and responses. When a property is set on a control, the control can save the property value into its control's state. Each control's state is added into the ViewState for a page, which is sent by the server and returned by the client as a hidden form field such as the following:

<input type="hidden" name="—VIEWSTATE" id="—VIEWSTATE"
MCRNYWluUGxhY2VIb2xkZXIkRWRpdG9yJENvbW1lbnRSYWRpb0J1dHRvbgUuY3RsMDAkTWFpblBs ...

Get Beginning ASP.NET Security now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.