Chapter 5. Controlling Information

Once your application has accepted data from the user (even if it is only a request to display a page), your application must generate output. You have already seen how to validate input, and how to sanitize it for output. However, there are unexpected ways that sensitive information about your application can be leaked.

In this chapter, you will learn about the following:

  • How information can be leaked with ViewState

  • How to secure and encrypt ViewState

  • Strategies and approaches for error logging

  • Strategies and approaches for securing sessions

  • Other ways information can become exposed

CONTROLLING VIEWSTATE

One of the defining features of ASP.NET Web forms is the event model, which turns actions (such as clicking a button, or changing the selected item in a list) into server-side events, an approach that matches Windows Forms programming. To support this model, Microsoft introduced ViewState, a mechanism whereby pages maintain their state over multiple client requests and responses. When a property is set on a control, the control can save the property value into its control's state. Each control's state is added into the ViewState for a page, which is sent by the server and returned by the client as a hidden form field such as the following:

<input type="hidden" name="—VIEWSTATE" id="—VIEWSTATE"
value="/wEPDwUKMTcwMzQ5NDcyMGQYAQUeX19Db250cm9sc1JlcXVpcmVQb3N0QmFja0tleV9f
FggFL2N0bDAwJE1haW5QbGFjZUhvbGRlciRFZGl0b3IkQ29tbWVudFJhZGlvQnV0dG9uBS9jdGww
MCRNYWluUGxhY2VIb2xkZXIkRWRpdG9yJENvbW1lbnRSYWRpb0J1dHRvbgUuY3RsMDAkTWFpblBs ...

Get Beginning ASP.NET Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.