asp.netencryptionviewstatebase64machinekey

asp.net viewstate encryption issue


I am attempting to turn on viewstate encryption Always as a security measure for my ASP.NET 3.5 website hosted in IIS6. We have viewstate turned off but still see some "controlstate" in this string. In a test environment I am able to simply set the following in web.config and i can no longer base64 decode the viewstate to semi-plaintext:

<pages enableViewState="false" enableViewStateMac="true" viewStateEncryptionMode="Always">

I have even added the following (genereated by machine key generater) to machine.config and still encrypts the viewstate fine on my test server:

<machineKey validationKey="002..." decryptionKey="D90E..." validation="SHA1" decryption="AES" />

My non-test environment doesn't seem to pick up the above changes as i can always base64 decode the viewstate to plain text with the above settings. I always iisreset after i make any changes.

Some info about my non-test webserver:

Can anyone suggest where to look for additional settings that might interfere with asp.net viewstate encryption?

EDIT: Now on my iis test server i cannot undo the viewStateEncryptionMode setting as it is encrypting the viewstate even when i set it to "Never" and none of my other websites seem to take a hold of this setting. Where can i possibly look to see where this property is being overridden? Is there any cache where this setting is stored that needs to be cleared besides what would be done when i iisreset/stop www service/touch machine.config?

EDIT FINAL: After days of studying config files i gave up and implemented this via code. I already had a security module that was attaching to page events so in Page_Load i added: Page.RegisterRequiresViewStateEncryption();

I would really love to know what was preventing this setting from getting picked up on IIS6 immediatley. When i run cassini locally if i set the viewStateEncryptionMode to "Always" via the pages node i would immediately see it encode the viewstate and render the additional hidden field with id="__VIEWSTATEENCRYPTED". When i then set it to "Never" i would immediately see the encryption turn off. If i make the same exact change to the website on my IIS6 hosted website, it would have no effect immediately but if i allow the setting to stay there it would eventually take hold. I would stop/start www service, reset iis, clear ASPNET temp cache but i don't know what else to try? Hopefully this post can ROT for a while and someone in the future will see the same behavior i experienced and we can further figure this out!


Solution

  • Web.config page settings do not apply to pre-compiled ASP.Net application with updatable option disabled. It has been a while but my test server i likely had deployed with updatable option disabled ... lesson learned.

    SEE MSDN

    Similar Question i Asked, same issue.