« The layered approach to internet security | Main | A classic example of approaching a security and privacy problem the wrong way »

ViewStateUserKey issue revisited

Deeper investigation shows that this security mechanism works in relatively simple scenarios: you have a page with a form on it, you click a button and the form is submitted back to the server. No problem.

Imagine, however, you have two pages: Account.aspx and login.aspx. Assume that both are derived from a base class Base.cs that sets

                  ViewStateUserKey = Session.SessionID;

in the OnInit() method. Let's further consider the case where in Account.aspx.cs you have

            protected void Page_Load(object sender, EventArgs e)


                        if (User.Identity.IsAuthenticated == false)



Login.aspx on the other hand has a login control whose target URL is Account.aspx.

The logic here ensures that anytime you want to access the account page and you are not authenticated, you are automatically forwarded to the login page, submit your credentials and then enter the account page.

Unfortunately, this breaks the ViewStateUserKey-based security mechanism. The ASP.NET 2.0 Framework fails to verify the integrity of login page at the server back-end.

Bottom line: if you utilize similar techniques in your Web site, you cannot use the ViewStateUserKey mechanism. Instead, you should rely on SSL and configure the ASP.NET RoleManager and Form authentication to require SSL.


TrackBack URL for this entry:

Hosting by Yahoo!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)