<<< Date Index >>>     <<< Thread Index >>>

RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks



Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property 
"ViewStateUserKey" to the System.Web.UI.Page class in .NET Framework 1.1.  The 
documentation for this property is here:

http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuipageclassviewstateuserkeytopic.asp

Of course, it is up to the individual web page developer to ensure an 
appropriate non-trivial value has been placed into this property.  As we all 
know, this is exactly the sort of detail that developers often forget or flub, 
with disastrous results.

--Tim Farley
  SPI Dynamics

Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.