mailing list archives
RE: ASP.NET __VIEWSTATE crypto validation prone to replay attacks
From: "Tim Farley" <tfarley () spidynamics com>
Date: Tue, 3 May 2005 12:58:33 -0400
Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property "ViewStateUserKey" to the System.Web.UI.Page
class in .NET Framework 1.1. The documentation for this property is here:
Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed
into this property. As we all know, this is exactly the sort of detail that developers often forget or flub, with
Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.