« A classic example of approaching a security and privacy problem the wrong way | Main | The futility of secrets »

ViewStateUserKey final verdict

I did some more investigation on this subject and found a proper way to use this mechanism and add layered security to your Web site. The solution is to use ViewStateUserKey only after the user identity is authenticated. I.e. the proper code segment looks like this:

   if (User.Identity.IsAuthenticated)
      ViewStateUserKey = Session.SessionID;

This protects against the well-known one-click attack and can be used in combination with TLS/SSL for protecting the access to your site. It may seem as an overkill when TLS/SSL is used and if performance improvement is badly needed, this added protection may be sacrificed. However, in general it is a good security measure.

The reason it does not work as I tried earlier is because the system uses a different key to decrypt the ViewStateUserKey for authenticated and unauthenticated identities. So setting the key for the unauthenticated identity on the account page before the redirect occurs and returning back to it when authenticated breaks the mechanism

OK, I felt it is important to set the record straight and that's all I wanted to say. 


TrackBack URL for this entry:

Hosting by Yahoo!

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)