If you have an SSL certificate for a web site, is it necessary to make the ViewState more difficult to d开发者_如何学编程ecode. Without any extra development, it appears that ASP.NET encodes it as a base 64 string. I found some sample code to easily decode this hidden field "__VIEWSTATE". Doesn't SSL encrypt this (along with other things) for you?
PS: If this is the incorrect site to post this question, please let me know. I also have it on the Security site, but I don't know how much they know about web applications and ASP.NET.
SSL will encrypt the data during transport. When the data is moving between the server and browser, including the view state.
It is up to you to do more on the page, if you feel the need. At the point that a browser is viewing the page, it has been transferred securely to the browser - do you feel that you need to protect the view state from the person using the browser?
You should not store sensitive data in the ViewState, ever!
Addendum
If you're not storing sensitive data in the ViewState, then don't worry about encrypting or decrypting it. It will just add unnecessary overhead.
精彩评论