Hi,

One of the very rich security feature and also one of the least known is the ViewStateUserKey. The key is used to add an identifier to the individual user in the viewstate variable for the page.

The value of the variable needs to be set in the page’s init phase. If you try and set the value in page load then it will give an error. Normally the value will be set to a value which is unique to individual users. Setting a constant value for all the users is equivalent to keeping it null. Normally we can fill the value with the userId or sessionID. For many technical reasons it is best to use the sessionID for the same (SessionID are unique, varies from time to time and are different from individual users.).

What it does is add a value (provided in the ViewStateUserKey variable) in the viewstate variable. This value is now validated in the postback. If the value provided does not match with the value in the viewstate then an exception is thrown.

Setting this value helps in preventing one click attack to the site and is very easy to implement also. When the ViewStateUserKey is used, a hacker cannot reuse the viewstate of any page to cause a one click attack on the site. [Note: Using the one click attack hackers can make malicious valid post request on the site. Also the fact normally this happens from different IP (Done by sending mails to different peopleand making them click a link which then makes a post request from the client (the user who clicked) user machine. This also makes it impossible to detect the IP of the person who has actually started the attack)].

Vikram