less than 1 minute read

ASP.NET Viewstate handling

You can “tamper-proof” your viewstate to reduce the likelihood of someone trying to spoof your application by setting the EnableViewStateMAC attribute. If necessary you can encrypt it too.

However, by default, ASP.NET creates a random validation key and stores it in each server’s Local Security Authority (LSA). In order to validate a ViewState field created on another server, the validationKey for both servers must be set to the same value. If you secure ViewState by any of the means listed above for an application running in a Web Farm configuration, you will need to provide a single, shared validation key for all of the servers.

The article Q313091 HOW TO: Create Keys by Using Visual Basic .NET for Use in Forms Authentication shows how to generate keys for use in the validationKey and the decryptionKey attributes of the section in the **** element in the Machine.config and the Web.config files.