J
JimF
We have an application that is persisting ViewState to a SQL database and
thus all of our pages only have a GUID for the view state hidden field. We
are also getting ViewStateMac errors under certain conditions, like using the
Back button, which we seem to not have control over.
1. A user can not do ViewState injection since WE are storing the viewstate
server side. (At best, they could only replace the GUID with a different one
and the odds of them finding an unexpired GUID is worse than winning the
lottery...)
2. My understanding of ViewStateMac is that it is a Digest of the ViewState,
plus some secret key stuff.
So, (finally), my question is, from a security standpoint, how necessary is
it to use ViewStateMac when the content of the ViewState is not going back to
the user?
Thanks in advance.
thus all of our pages only have a GUID for the view state hidden field. We
are also getting ViewStateMac errors under certain conditions, like using the
Back button, which we seem to not have control over.
1. A user can not do ViewState injection since WE are storing the viewstate
server side. (At best, they could only replace the GUID with a different one
and the odds of them finding an unexpired GUID is worse than winning the
lottery...)
2. My understanding of ViewStateMac is that it is a Digest of the ViewState,
plus some secret key stuff.
So, (finally), my question is, from a security standpoint, how necessary is
it to use ViewStateMac when the content of the ViewState is not going back to
the user?
Thanks in advance.