是在ASP.Net网站EnableViewStateMAC = TRUE强制ViewStateEncryption? [英] Is EnableViewStateMAC=true compulsory for ViewStateEncryption in an ASP.Net Website?
问题描述
我目前固定在我们的ASP.net的网站应用程序的一些安全问题。
I'm currently fixing some Security issues in our ASP.net website application.
其中一个问题是,的ViewState
未经过加密。
One of the issue was that the ViewState
was not encrypted.
所以,我没有检查计算器和其他地方如何在视图状态进行加密,而我做到了使用<网页viewStateEncryptionMode =总是/>
并添加一个3DES的machineKey这样<将machineKey验证=3DES/>
在Web.config中
So I did check on StackOverFlow and elsewhere on how to encrypt the viewState, and I did it using the <pages viewStateEncryptionMode="Always" />
and adding a 3DES machinekey like this <machineKey validation="3DES" />
in Web.config .
我想知道,如果EnableViewStateMAC =真正的
也是强制性必要吗?,因为这是提到了一些建议的解决方案的我在网上找到。
但是,在我的支票,我发现了加密工作,即使没有这一点。
I would like to know if the "EnableViewStateMAC=true"
is also compulsorily necessary? since this was mentioned in some of the suggested solutions I had found online.
But, on my checks I found the encryption is working even without this.
[注:我从做个人网页的变化做这些改变在应用程序级别(Web.config文件)不是该应用程序的实际解决方案] 的
推荐答案
永远不要设置EnableViewStateMac为false,即使启用加密。陆委会保证了客户端无法恶意使用ViewState中的内容篡改。 (加密本身并不足以保证此;该MAC是必要的)
Do not ever set EnableViewStateMac to false, even if encryption is enabled. The MAC guarantees that the client cannot maliciously tamper with the contents of ViewState. (Encryption by itself isn't sufficient to guarantee this; the MAC is necessary.)
在EnableViewStateMac属性将在产品的未来版本中删除,因为没有正当的理由将其设置为假。
The EnableViewStateMac property will be removed in a future version of the product since there is no valid reason to set it to 'false'.
这篇关于是在ASP.Net网站EnableViewStateMAC = TRUE强制ViewStateEncryption?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!