如何以编程方式检测 ViewState 是否被篡改 [英] How to detect ViewState is tamper or not programatically

问题描述

我搜索了很多网站，但没有得到任何以编程方式检测 ViewState 的解决方案.

i search many site but not getting any solution that how programatically detect ViewState.

我从一个网站得到一个建议，他们说 @Page 指令中的 EnableViewStateMac 为 true，并且还必须定义其他设置，如 VaidationKey 和 ValidationAlgorithm.但是他们没有说如何进行诸如 VaidationKey 和 ValidationAlgorithm 之类的设置.任何人都可以带我朝着正确的方向前进.谢谢

i got one suggestion from a site that they said EnableViewStateMac to true in the @Page directive and other settings like VaidationKey and ValidationAlgorithm has also to be defined. but they did not said how to do the settings like VaidationKey and ValidationAlgorithm. can anyone drive me in right direction. thanks

推荐答案

EnableViewStateMac 属性在 ASP.NET 中默认为 true.当它为 true 时，它会阻止任何人更改视图状态(当 ASP.NET 检测到更改时将引发异常).

The EnableViewStateMac property is true by default in ASP.NET. When it is true it prevents anyone from changing the viewstate (an exception will be thrown when ASP.NET detects a change).

它不能阻止的是重放和跨站点请求伪造攻击.默认情况下，视图状态不锁定到单个用户，这允许黑客复制视图状态并在另一个用户的上下文中重新发送它.这就是 ViewStateUserKey 的用武之地.您可以使用登录用户的 ID 进行设置，这将防止在其他用户的上下文中重用 ViewState.

What it doesn't prevent is replay and Cross-site request forgery attacks. A viewstate is by default not locked to a single user, which allows hackers to copy the view state and resend it in the context of another user. This is where the ViewStateUserKey comes in. You can set with the ID of a logged in user, which will prevent the ViewState from being reused in the context of another user.

您可以在此处阅读更多相关信息一个专门用于防止 CSRF 攻击的 CodePlex 项目.不要自己动手，使用那个库！

You can read more about it here and there is a CodePlex project specially for preventing CSRF attacks. Don't roll your own, use that library!

更新

以下是如何使用 ViewStateUserKey 的示例:

Here is an example of how to use the ViewStateUserKey:

void Page_Init(object sender, EventArgs e)
{
    this.ViewStateUserKey = this.Session.SessionID;
}

这篇关于如何以编程方式检测 ViewState 是否被篡改的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！