What does ViewStateUserKey do exactly?

[Henri]

and what is the "one click attack" that it is said to prevent?
I've tried to use it but it seems that there is no visible change in the
source code...

Thanks
Henri

 

[Kikoz]

The simpliest protection from "one-click attack" is not to use cookies. So,
if you're concerned about real security of your stuff, stop using Session
object and develop your own session. It's easy, takes a bit more processing
on the server (normally. about 0.001 seconds more) but it's worth it. I'm
not using Session in all my apps at all and I don't care about 90% of
security threads. Use parameterized sql calls and another 5% will go away.
XSS (cross-site scripting) comes next to "one-click". All those "techniques"
used to screw up your work are well described on the Net - use Google or
something to find related info.

 

[bruce barker]

viewstate is encrypted, and asp.net checks that its valid on each load. to
post a page, you need a valid viewstate. if you steal someone else viewstate
(say though a sniffer), you can post to the system. adding a
ViewStateUserKey ties that viewstate to a particular user. the key will be
stored in the viewstate, and compared on post - if it differs, an error is
thrown.

-- bruce (sqlwork.com)


| and what is the "one click attack" that it is said to prevent?
| I've tried to use it but it seems that there is no visible change in the
| source code...
|
| Thanks
| Henri
|
|
|

 

[Henri]

Thanks for your explanation Bruce