asp.net viewstate加密问题 [英] asp.net viewstate encryption issue
问题描述
我试图打开视图状态加密始终,作为IIS6中托管的ASP.NET 3.5网站的安全措施。我们已经关闭了viewstate,但仍然看到这个字符串中的一些controlstate。在测试环境中,我可以在web.config中简单地设置以下内容,我不能再将viewstate解码为半明文:
< pages enableViewState =falseenableViewStateMac =trueviewStateEncryptionMode =Always>
我甚至添加了以下由机器密钥生成器创建)到machine.config并仍然加密我的测试服务器上的viewstate罚款: p>
< machineKey validationKey =002 ...decryptKey =D90E ...validation =SHA1decrypt =AES/> ;
我的非测试环境似乎没有提取上述更改,因为我总是可以将viewstate解码为纯文本以上设置。有一些关于我的非测试网络服务器的信息:
- Web场/负载平衡(但现在只有一台服务器进行测试)
- Sql会话状态(machine.config中的machinekey最初需要设置) / li>
- machine.config:deployment retail =true
任何人都可以建议在哪里寻找可能会干扰asp.net viewstate加密的其他设置?
编辑:现在在我的iis测试服务器上,我无法撤销viewStateEncryptionMode设置,因为它正在加密viewstate,即使我将其设置为从不,我的其他网站都没有显示这个设置。我可以在哪里看看这个属性被覆盖的地方?除了在iisreset / stop www服务/ touch machine.config之外还要做什么,还有哪些存储此设置的缓存需要清除?
编辑最终:经过几天学习配置文件,我放弃了并通过代码实现了这一点。我已经有一个附加到页面事件的安全模块,所以在Page_Load我添加了:Page.RegisterRequiresViewStateEncryption();
我真的很想知道阻止这个设置从IIS6 immediatley被拾起。当我在本地运行cassini时,如果我通过页面节点将viewStateEncryptionMode设置为Always,我将立即看到它对viewstate进行编码,并使用id =__ VIEWSTATEENCRYPTED渲染另外的隐藏字段。当我把它设置为从不我会马上看到加密关闭。如果我对我的IIS6托管网站上的网站进行了相同的确切更改,那么它将不会立即生效,但如果我允许该设置保留在那里,最终将会停留。我会停止/启动www服务,重置iis,清除ASPNET临时缓存,但我不知道还有什么尝试?希望这篇文章可以ROT一段时间,未来有人会看到我经历过的同样的行为,我们可以进一步了解这一点!
Web.config页面设置不适用于已禁用可更新选项的预编译ASP.Net应用程序。已经有一段时间,但我的测试服务器可能已部署可更新选项已禁用...获得教训。
查看 MSDN
类似问题我问,同样的问题。
I am attempting to turn on viewstate encryption Always as a security measure for my ASP.NET 3.5 website hosted in IIS6. We have viewstate turned off but still see some "controlstate" in this string. In a test environment I am able to simply set the following in web.config and i can no longer base64 decode the viewstate to semi-plaintext:
<pages enableViewState="false" enableViewStateMac="true" viewStateEncryptionMode="Always">
I have even added the following (genereated by machine key generater) to machine.config and still encrypts the viewstate fine on my test server:
<machineKey validationKey="002..." decryptionKey="D90E..." validation="SHA1" decryption="AES" />
My non-test environment doesn't seem to pick up the above changes as i can always base64 decode the viewstate to plain text with the above settings. I always iisreset after i make any changes.
Some info about my non-test webserver:
- Web Farm/Load Balanced (but only one server up for testing right now)
- Sql Session State (machinekey in machine.config was initially needed to set this up)
- machine.config: deployment retail="true"
Can anyone suggest where to look for additional settings that might interfere with asp.net viewstate encryption?
EDIT: Now on my iis test server i cannot undo the viewStateEncryptionMode setting as it is encrypting the viewstate even when i set it to "Never" and none of my other websites seem to take a hold of this setting. Where can i possibly look to see where this property is being overridden? Is there any cache where this setting is stored that needs to be cleared besides what would be done when i iisreset/stop www service/touch machine.config?
EDIT FINAL: After days of studying config files i gave up and implemented this via code. I already had a security module that was attaching to page events so in Page_Load i added: Page.RegisterRequiresViewStateEncryption();
I would really love to know what was preventing this setting from getting picked up on IIS6 immediatley. When i run cassini locally if i set the viewStateEncryptionMode to "Always" via the pages node i would immediately see it encode the viewstate and render the additional hidden field with id="__VIEWSTATEENCRYPTED". When i then set it to "Never" i would immediately see the encryption turn off. If i make the same exact change to the website on my IIS6 hosted website, it would have no effect immediately but if i allow the setting to stay there it would eventually take hold. I would stop/start www service, reset iis, clear ASPNET temp cache but i don't know what else to try? Hopefully this post can ROT for a while and someone in the future will see the same behavior i experienced and we can further figure this out!
Web.config page settings do not apply to pre-compiled ASP.Net application with updatable option disabled. It has been a while but my test server i likely had deployed with updatable option disabled ... lesson learned.
SEE MSDN
Similar Question i Asked, same issue.
这篇关于asp.net viewstate加密问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
