What is ViewState? How is it encoded? Is it encrypted? Who uses ViewState?
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
View state is a kind of hash map (or at least you can think of it that way) that ASP.NET uses to store all the temporary information about a page – like what options are currently chosen in each select box, what values are there in each text box, which panel are open, etc. You can also use it to store any arbitrary information.
The entire map is serialized and encrypted encoded and kept in a hidden variable that’s posted back to the server whenever you take any action on the page that requires a server round trip. This is how you can access the values on the controls from the server code. If you change any value in the server code, that change is made in the view state and sent back to the browser.
Just be careful about how much information you store in the view state, though… it can quickly become bloated and slow to transfer each time to the server and back.
As for encryption, I dont’ know how strong it is, but its sure not easily human readable. I wouldn’t use it for sensitive information, though. As pointed out in the comments, it’s not encrypted at all. Just base encoded, which easily reversible.
Method 2
If you really want to understand ViewState (not just what it is used for), then you may want to read this fabulous article (which I, unfortunately, am not the author of :-).
Beware, though, it is a bit dated, but still a very good read.
Method 3
It is a hidden field generated by ASP.NET that contains information about all the controls on the page. Ideally the view state should not need to be encrypted, as it should never contain sensitive information. To indicate that the view state should be encrypted, set the <machineKey> element’s validation attribute in the machine.config file to 3DES. There’s a nice article on MSDN describing ViewState.
Method 4
Allow me to share with you what I learned today.
What is ViewState?
Microsoft® ASP.NET view state, in a nutshell, is the technique used by
an ASP.NET Web page to persist changes to the state of a Web Form
across postbacks.View State stores the value of page controls as a string which is
hashed and encoded in some hashing and encoding technology. It only
contain information about page and its controls
If I have something like this:
protected void Page_Load(object sender, EventArgs e)
{
ViewState["UserName"] = "Shubh Dasgupta";
ViewState["Password"] = "IAmAPassword";
}
The view state of a page is, by default, placed in a hidden form field named __VIEWSTATE.
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwULLTE2MTY2ODcyMjkPFgQeCFVzZXJOYW1lBQ5TaHViaCBEYXNndXB0YR4IUGFzc3dvcmQFDElBbUFQYXNzd29yZGRk2/xP37hKKE9jfGYYzFjLuwpi6rHlPdXhfSspF6YRZiI=" />
How is it encoded? Is it encrypted?
ViewState is Encoded and not Encrypted by default. Lets take the previous input type value are run the below code:
protected void btnDecode_Click(object sender, EventArgs e)
{
//txtViewState.Text = "/wEPDwULLTE2MTY2ODcyMjkPFgQeCFVzZXJOYW1lBQ5TaHViaCBEYXNndXB0YR4IUGFzc3dvcmQFDElBbUFQYXNzd29yZGRk2/xP37hKKE9jfGYYzFjLuwpi6rHlPdXhfSspF6YRZiI="
string str = System.Text.Encoding.ASCII.GetString(Convert.FromBase64String(txtViewState.Text));
lblDecodedString.Text = str;
}
The output for the above code will be ?-1616687229UserNameShubh DasguptaPasswordIAmAPassworddd??O??J(Oc|f?X?? b???=??}+)?f"
If you read in details of the article I mentioned before, you would come up with the ‘Cost Of ViewState’ where it is clearly and beautifully written :
On all page visits, during the save view state stage the Page class
gathers the collective view state for all of the controls in its
control hierarchy and serializes the state to a base-64 encoded
string. (This is the string that is emitted in the hidden __VIEWSTATE
form filed.) Similarly, on postbacks, the load view state stage needs
to deserialize the persisted view state data, and update the pertinent
controls in the control hierarchy.
Try it yourself. Download Sample
Method 5
ViewState’s not encrypted as default, using base64 encoding. You may want to use viewstate if your page has an action with controls.
Method 6
ViewState is one technique asp.net uses to enable the postback model. The state for all controls that are marked runat="server" is stored in this base64 string.
This pluralsite article explains in more depth
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0