What is included in ViewState when I have set EnableViewState="false"

[Tony Johansson]

Hello!

The asp.net group doesn't seem to know this so I try here because this group
seems to know even asp.net questions.


I have switched off ViewState by setting EnableViewState="false" in the page
directive like this Page Language="C#" AutoEventWireup="true"
CodeFile="Default.aspx.cs" Inherits="_Default" EnableViewState="false" %>
I have no control on the page it's completely empty.

I just wonder when I right click in the browser and select show source when
the webSite is running I can see that
ViewState looks like this
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwUKMTk5MzU0MDY4NGRk8V6RDOd2UNYdpVHGcUdkHt1laNc=" />

So does anyone have the slightest idea what can this contain when the
ViewState is swithed off ?

//Tony

 

[Jeff Johnson]

I just wonder when I right click in the browser and select show source
when
the webSite is running I can see that
ViewState looks like this
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
value="/wEPDwUKMTk5MzU0MDY4NGRk8V6RDOd2UNYdpVHGcUdkHt1laNc=" />

So does anyone have the slightest idea what can this contain when the
ViewState is swithed off ?

No, because apparently your ViewState is encrypted. I think this became the
default in .NET 2.0 or something like that. The value attribute is merely a
Base64-encoded string, and in ye olden days you could simply decode it and
see everything in it. This was a security risk since a malicious user could
theoretically rewrite ViewState and do bad things during a postback, so some
sort of machine-level key was added and ViewState is now encrypted with this
key. I think you can turn this behavior off, but I don't remember how off
the top of my head. Search Google for "ViewState machine key" or something
like that and see what you get. Then turn it off and decode the value, or
post it here and I'll decode it for you.

 

[Tony Johansson]

It contains nothing. If you want speed between the client and server on
the round trip between the two, you turn it off and not send the view
state.

You say that that the ViewState contains nothing when the ViewState is
turned off but if I look at the
value of the ViewState it has the following contens and this is NOT nothing.
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"
My question is still relevant and I hope somebody has some answer to it.
//Tony

 

[Jason Keats]

You say that that the ViewState contains nothing when the ViewState is
turned off but if I look at the
value of the ViewState it has the following contens and this is NOT nothing.
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE"

It wouldn't surprise me that if you start off with no viewstate, then
you add a hash value, then encrypt it, then base64 encode it that you
end up with something like the above. But that's just my guess.

Fritz Onion, the author of this article
<http://msdn.microsoft.com/en-us/magazine/cc163901.aspx> on viewstate
has written at least one book on ASP.NET. Perhaps you should read one?

 

[Jeff Johnson]

Who cares about a disabled viewstate and what is in it?

I do. It seems to me that if it's disabled then the hidden field shouldn't
even be there AT ALL, yet it is. Like Tony, I'd like to know what's in
there, purely for the sake of curiosity.

 

[Arne Vajhøj]

I do. It seems to me that if it's disabled then the hidden field shouldn't
even be there AT ALL, yet it is. Like Tony, I'd like to know what's in
there, purely for the sake of curiosity.

If the viewstate is not encrypted (which it should be, but you can turn
it off for the experiement), then you can easily check the content.

One way is to use the ViewState decoder available here:
http://alt.pluralsight.com/tools.aspx

In the case of the disabled viewstate it does not explain
much though.

Arne