Is EnableViewStateMAC=true compulsory for ViewStateEncryption in an ASP.Net Website?

Posted 2021-06-17 Chuck Lu

Is EnableViewStateMAC=true compulsory for ViewStateEncryption in an ASP.Net Website?

问题

I\'m currently fixing some Security issues in our ASP.net website application.

One of the issue was that the ViewState was not encrypted.

So I did check on StackOverFlow and elsewhere on how to encrypt the viewState, and I did it using the <pages viewStateEncryptionMode="Always" /> and adding a 3DES machinekey like this <machineKey validation="3DES" /> in Web.config .

I would like to know if the "EnableViewStateMAC=true" is also compulsorily necessary? since this was mentioned in some of the suggested solutions I had found online. But, on my checks I found the encryption is working even without this.

[NOTE: I had to do these changes at an application level (Web.config) since making individual page changes is not a practical solution for this application.]

 

回答1

Do not ever set EnableViewStateMac to false, even if encryption is enabled. The MAC guarantees that the client cannot maliciously tamper with the contents of ViewState. (Encryption by itself isn\'t sufficient to guarantee this; the MAC is necessary.)

The EnableViewStateMac property will be removed in a future version of the product since there is no valid reason to set it to \'false\'.

 

回答2

Just in case:

Starting with ASP.NET 4.5.2, the runtime enforces EnableViewStateMac = true

more details here: ASP.NET 4.5.2 and EnableViewStateMac

 

回答3

You might want to note that as of September 2014

All versions of the ASP.NET runtime 1.1 - 4.5.2 now forbid setting

<%@ Page EnableViewStateMac="false" %>

and

<pages enableViewStateMac="false" />

http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.aspx