asp.net encryption iis-6 viewstate cassini

viewStateEncryptionMode="Always" not encrypting

Due to some security concerns i need to enable View State Encryption. I have viewstate & viewstateMAC turned off but i need to encrypt the "control state" string that is included in the __VIEWSTATE form parameter.

Currently my web.config looks like:

    <pages enableViewState="false" enableViewStateMac="false">

When i set the following, in cassini, my viewstate is encrypted:

    <pages enableViewState="false" enableViewStateMac="false" viewStateEncryptionMode="Always">

When i make the same change on my IIS 6 server, nothing happens.

I see the app domain recycle(Event: Application '/LM/W3SVC/...' located in 'C:...' initialized for domain '...'). when i touch web.config but i do not get encrypted viewstate as with cassini. I have tried Site Stop/Start, IIS Reset Stop/Start, Clear ASP.NET Temporary file cache. Anyone have any suggestions on what needs to be done to configure this?

Solution

I ran into a similar problem with this and it came down to the fact that if you pre-compile your site the web.config node for pages is ignored. You have to set those settings at compile to get it working. I know this is year late, but I figure if someone else comes here looking for solution to the problem this might be useful information.

A little blurb about this: http://blogs.msdn.com/b/asiatech/archive/2011/07/19/pages-settings-don-t-work-for-pre-compiled-asp-net-applications.aspx

(Link dead - blog pointed to this documentation: ASP.NET Web Site Project Precompilation Overview )
My customer had a viewstate MAC validation problem. As a workaround, he wanted to disable the viewstate MAC validation before find out the final solution. However, he was still seeing the problems after added follow settings in the configuration files.

Customer’s application is a pre-compiled ASP.Net application with updatable option disabled. Looking at the code generated by compiler with above settings, we found these settings are hard coded. So, this means simply add the above setting into web.config doesn’t affect a pre-compiled application. To make this taking affect, the application has to be re-compiled.

[DebuggerNonUserCode]

private void __BuildControlTree(default_aspx __ctrl)

{
```
__ctrl.EnableViewStateMac = false;

__ctrl.EnableEventValidation = false;
```
__ctrl.ViewStateEncryptionMode = ViewStateEncryptionMode.Never;

This is a by-design behavior.