View status of ASP. NET Server controls (1)

It is necessary to maintain the status information of Web pages and their controls. However, since Web applications are created on the top layer of the HTTP protocol, it is a stateless protocol, so it is very difficult to maintain state information. To solve this problem, ASP. NET 2.0 provides a variety of solutions, such as Session, Cookie, view status, control status, hidden domain, query string, and personalized user configuration Profile. For the use of ASP. NET 2.0 technology to create server controls, it is also very important to maintain the status information, the main solution is to use the view status and control status. This article describes the basic knowledge of ViewState in detail, and introduces the application method of view State through typical applications.

ASP. NET Server Control view status overview

View status is a very important technology. It enables the control of pages and pages to maintain status information from the server to the client, and then from the client to the back-and-forth process. In this way, you can create a page effect that is stateful and continuously executed on the Web environment. This section describes the operation mechanism, application method, storage data type, performance and security of view states, and view State segmentation, which are new features of ASP. NET 2.0 and their advantages and disadvantages.

1) Operating Mechanism

The specific running process of view status is as follows: each time a user requests. aspx page ,. NET framework first serializes the status data of related controls into a string, and then sends it as the Value of the hidden field named _ VIEWSTATE to the client. If the page is requested for the first time, the server control will also be executed for the first time. The hidden domain named _ VIEWSTATE contains only the default information of the control, which is usually null or empty. In the subsequent send back event, the ViewState stores the available attribute states of the server control in the previous send back. In this way, the server control can monitor the status before the currently processed send-back event occurs. These processes are the responsibility of the. NET Framework. for users, the execution of the. aspx page has the effect of continuous execution.

2) Data Types stored

View status can store multiple types of data. To improve the running efficiency, view status itself includes a set of optimized serialization methods for common types.

By default, view status serialization supports the following data types: String, Int32, Unit, Color, Array, ArrayList, HashTable, and TypeConverter.

The view status has been optimized for Array, ArrayList, and HashTable objects that contain the listed types above. Therefore, when using the view status in the control, try to limit the use of the preceding simple data type and the optimized type. Here, we need to focus on the custom type converter TypeConverter, which provides a unified method to convert the value type to other types, as well as access standard values and sub-attributes. For example, you can use TypeConverter to convert a string to a numeric value or convert a numeric value to a string. If there is no type converter, the page framework uses the binary serialization function provided by the. NET Framework to serialize objects. This process is very resource-consuming.

3) performance and security

When using the view state, the object must be serialized first, and then deserialized by returning. Therefore, we must understand the ViewState performance. By default, the ViewState of the control is enabled. If you do not need to use ViewState, you 'd better disable it. ViewState is no longer needed in the following cases: 1) when the control is not defined on the server side, all the control events are client events and do not participate in sending back); 2) the control does not have dynamic or data-bound property values. To disable the view State, set the value of EnableViewState of the control to "false", that is, EnableViewState = "false ".

By default, when the view status content is sent to the client during compilation, the reader will see the _ VIEWSTATE hidden domain content in the HTML code on the page. This is a meaningless string. It is the result of the. NET Framework encoding the relevant content through base64bit encoding. They are transmitted back and forth between the client and the server in plaintext mode. In some cases, such as passwords, accounts, connection strings, and other sensitive content, it is insecure to use the default method. To this end, the. NET Framework provides two security mechanisms for ViewState:

· Verification mechanism:

It can be indicated by setting the EnableViewStateMAC = "true" attribute. NET Framework adds a hash code to the ViewState data. The hash code is a type of SHA1 with a length of 160 bits, which seriously affects the execution performance ). When a callback event occurs, the hash code is re-created and must match the original hash code. This method can effectively verify whether ViewState can be tampered with during transmission. By default, the. NET Framework uses the SHA1 algorithm to generate the ViewState hash code. In addition, you can select the MD5 Algorithm by setting <machineKey> in the machine. config file, as shown below: <machineKey validation = "MD5"/> "/〉. The performance of the MD5 algorithm is better than that of the SHA1 algorithm, but it is not safe enough.

· Encryption mechanism

Use encryption to protect the actual data values in the ViewState field. First, EnableViewStatMAC = "true" must be set as described above ". Set the machineKey validation type to 3DES, that is, <machineKey validationKey = "AutoGenerate" decryptionKey = "AutoGenerate" validation = "3DES"/>, which indicates ASP. NET uses the 3DES encryption algorithm to encrypt the ViewState value.

4) view status chunks

The above describes some basic knowledge about view status. However, some readers may wonder what to do if the view State data becomes large in some cases? This clearly has some unexpected consequences. To this end, ASP. NET 2.0 has added a feature called "view State chunk. If the data size of the view State is too large, the view State block automatically divides the data into multiple blocks and places the data in multiple hidden fields.

To enable view status segmentation, set the MaxPageStateFieldLength attribute to the maximum size allowed in a single view Status field in bytes ). When the page is sent back to the server, the page analyzes the view status string during page initialization and restores the attribute information on the page. The default value is-1, which indicates that the maximum size does not exist and the view status is not divided into multiple block areas.

5) advantages and disadvantages

View status has the following three advantages: 1. The server resources consumed are less than those consumed by Application and Session ). Because view status data is written to the client computer. 2. easy to maintain. By default, the. NET system automatically enables the maintenance of control status data. 3. Enhanced security functions. The values in the view State are hashed, compressed, and encoded for Unicode. The security of the values is higher than that of hidden fields.

View status has the following three drawbacks: 1. performance considerations. Because the view status is stored on the page itself, if a large value is stored, even if the view status is segmented, the speed of page display and page sending may still slow down. Ii. device restrictions. Mobile devices may not have enough memory to store a large amount of view status data. Therefore, other implementation methods are used for server controls on mobile devices. Iii. potential security risks. View status is stored in one or more hidden domains on the page. Although the view State stores data in a hash format, it can be tampered. If you directly view the page output source, you can see information in the hidden domain, which leads to potential security issues.