Protecting View State in ASP.Net

By default ASP.NET uses autogenerated keys for view state validation and encryption. Validation and decryption happen separately and therefore two different keys are employed. Both keys reside in each server's SLA. What happens if your web application runs in a web farm? How would you facilitate a view state that came from another server? Obviously the set of keys from this other server will be different.

The way out is to create both the validation and decryption keys by hand and store them in your web.config:

MachineKey attributes:

• validationKey specifies the key for validation of the view state. ASP.NET will use this key when calculating MACs. The key must be 20 to 64 bytes (40 to 128 hexadecimal characters). The recommended key length is 64 bytes. This key should be generated in a random manner. If you tag IsolateApps to the end of the key value ASP.NET will generate a unique key for each application using the application's ID.
• decryptionKey specifies the key used to encrypt and decrypt the view state when validation="3DES". They key must be 8 for DES encryption or 24 bytes for 3DES (16 or 48 hexadecimal characters respectively). The recommended key length is 48 bytes. This key should be generated in a random manner. If you tag IsolateApps to the end of the key value ASP.NET will generate a unique key for each application using the application's ID.
• validation sets the type of encryption. When set to SHA1 or MD5 it instructs ASP.NET to use either SHA1 or MD5 algorithm to create view state MACs. When set to 3DES instructs ASP.NET to encrypt the view state (also provides integrity checking) with the help of the Triple-DES symmetric encryption algorithm.