The usage of viewstate in asp.net-practical skills

When the Web Forms control is set to runat = "server", the control is appended with a hidden property _viewstate,_viewstate the state value of all controls in ViewState. ViewState is a collection of name/value objects. When a page is requested, the ASP. NET serializes the state of all controls into a string, and then sends it to the client as a hidden property of the form, and when the client bar page is returned, the ASP. NET analyzes the properties of the form that are returned and assigns the corresponding value to the control.

When we write a asp.net form, once the form runat=server is marked, ASP.net automatically adds a hidden field to the page at the time of the output.

<input type= "hidden" name= "__viewstate" "value=" ">

So, with this hidden field, the state of all other controls on the page, including the page itself, will be saved to the control value. Each time the page is submitted to the background together, the value of the asp.net is decoded, and then the state of each control is restored according to the value. Let's look at the value of this control again, which may resemble the following form: Oz4+o2w8atwxpjs+o2w8 .... Many people will think that this is encrypted information, in fact, MS is simply to the control and the state of the page into the appropriate object inside, and then the object serialization, and finally do a base64 encoding, directly assigned to the ViewState control.

First, the principle of ViewState

1. Browser Request Default.aspx page

2. The VIEWSTATE created on the server side will automatically create a hidden field named __viewstate (Double down line is all uppercase) The value of its hidden fields is returned to the browser side after Base64 encryption, which is done in the Saveallstate method in the SaveState event of the page life cycle

3. When the browser submits the form, the __viewstate hidden field is also submitted to the server at this time the Readallstate method of the ReadState event of the page life cycle will reverse the encrypted value to Base64 decrypt Finally, assign the value to the viewstate named name

4. Finally to manipulate the value in ViewState

Second, the use of ViewState:

1. Define ViewState properties

public int pagecount{
get{return (int) viewstate["PageCount"];}
set{viewstate["PageCount"]=value}
}

2. Conditions for the use of ViewState

If you want to use ViewState, you must have a server-side form marker (<form runat = "server" >) in the ASPX page. form fields are required so that hidden fields containing viewstate information can be passed back to the server. Also, the form must be a server-side form, so that the ASP.net page frame can add hidden fields when the page is executed on the server.

The page's EnableViewState property value is True
The control's EnableViewState property value is True

3.ViewState places to look for

A. When page return is present, you do not need to maintain the value of the control to ban the ViewState.
B. The index of ViewState is case sensitive.
C. ViewState is not a cross page.
D. In order to be preserved in the ViewState, the object must be fluidization or defined TypeConverter.
E. When the TextMode property of the control TextBox is set to password, its state will not be saved in ViewState, which should be for security reasons.
F. Do not use ViewState when the page does not return or redirect, or when you go to (transfer) other pages in the back crosses.
G. Be careful with the ViewState of the control when it is dynamically built.
H. When the ViewState of a program is banned, the ViewState of all pages of the program is also prohibited.
I. ViewState is persistent only when the page is returned to itself.

4. Set ViewState

ViewState can be set in controls, pages, programs, and global configurations. EnableViewState is true by default. If you want to disable all page ViewState features, you can set the EnableViewState to False in your program configuration.

Iii. the resulting __viewstate as pictured

Use the ViewStateDecoder2 (ViewState Viewer) to see the value

So viewstate in security is still relatively poor, it is recommended not to store more confidential and sensitive information, although viewstate can be encrypted, but because viewstate to save in the client, inherent security risks.

Iv. comparison of ViewState and session

(1) The session value is stored in the server memory, then, you can be sure that a large number of use session will lead to increased server burden. and viewstate because it only saves data to the page-hide control and no longer consumes server resources, we can save some variables and objects that require the server to "remember" to the viewstate. Sesson should only be applied to variables and object stores that need to be spread across pages and associated with each access user.

(2) The session expires in 20 minutes by default, and ViewState never expires.

But ViewState is not able to store all of the. NET type data, it only supports string, Integer, Boolean, Array, ArrayList, Hashtable, and some of the custom types.

Everything has two sides, the use of ViewState will increase the page HTML output, occupy more bandwidth, this is a need for our careful consideration. In addition, since all viewstate are stored in a hidden domain, it is easy for users to view the source code to see the base64 encoded value. Then you can then convert the values of the objects and variables that you store.