asp.net视图状态加密 [英] asp.net viewstate encryption

问题描述

我何时以及如何在ViewState的3.5 asp.net加密有关的几个问题。
举例来说，如果我有我的web.config像的machineKey项：
 
    decryptionKey =自动生成，IsolateApps
    验证=AES
    解密=自动/>

I have a few questions about when and how viewstate is encrypted in asp.net 3.5. For instance, if I have a machinekey entry in my web.config like: decryptionKey="AutoGenerate,IsolateApps" validation="AES" decryption="Auto" />

时的ViewState加密在这一点？或者，我需要在网页中指定部分viewStateEncryptionMode也？

Is viewstate encrypted at this point? Or do I need to specify the viewStateEncryptionMode in the page section also?

此外，是否有可能加密formsauthentication饼干，但同时不加密的ViewState？

Also, is it possible to encrypt a formsauthentication cookie, but not encrypt viewstate at the same time?

感谢您的帮助。

推荐答案

在页面上的控件可以请求加密被用于ViewState中，但即使这个要求可以通过该页面设置覆盖。

The controls on the page can request that encryption be used for the ViewState, but even this request can be overridden by the page setting.

该ViewStateEncryptionMode枚举有三个值：自动，总是和从不。默认值是自动。

The ViewStateEncryptionMode enumeration has three values: Auto, Always, and Never. The default value is Auto.

ViewStateEncryptionMode.Auto

在此模式下，ASP.NET会如果页面上的任何控制要求它加密的ViewState的页面。注意，这意味着所有的视图状态的是加密的，而不仅仅是视图状态为请求它的控制。与加密相关的性能开销的很大一部分是在开销。因此，加密整个ViewState是不是做单独的加密操作，如果多个控件发出请求更快。

In this mode, ASP.NET will encrypt the ViewState for a page if any control on the page requests it. Note that this means all of the ViewState is encrypted, not just the ViewState for the control that requests it. A large part of the performance cost associated with encryption is in the overhead. So encrypting the whole ViewState is faster than doing separate encryption operations if more than one control makes the request.

ViewStateEncryptionMode.Never

正如你所期望的，在这种模式下ASP.NET将不加密的ViewState，即使应用程序设置为加密和控件在页面上提出过要求。如果你知道，没有涉及页面的数据需要加密，那么它可能是安全的，将模式设置为从不。然而，在这一点上是罕见的关于控制透露什么被保存在ViewState中的文件，所以你要小心，如果有机会的敏感数据可能会暴露。

As you would expect, in this mode ASP.NET will not encrypt the ViewState, even if the application is set for encryption and controls on the page have requested it. If you know that no data involved in the page needs to be encrypted, then it may be safe to set the mode to Never. However, at this point it is rare for the documentation about a control to disclose what is being saved in ViewState, so you will want to be careful if there is a chance that sensitive data could be exposed.

ViewStateEncryptionMode.Always

在此模式下，ASP.NET不等待控制在页面来要求加密。 ViewState是始终加密。当处理敏感数据，这是一个很好的做法，利用加密。

In this mode, ASP.NET does not wait for a control in the page to request encryption. ViewState is always encrypted. When working with sensitive data, it is a good practice to utilize encryption.

来源：<一个href=\"http://msdn.microsoft.com/en-us/library/aa479501.aspx\">http://msdn.microsoft.com/en-us/library/aa479501.aspx

这篇关于asp.net视图状态加密的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！