Microsoft has addressed your issues 1-a, 1-b and 1-c by adding a property "ViewStateUserKey" to the System.Web.UI.Page class in .NET Framework 1.1. The documentation for this property is here:
Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed into this property. As we all know, this is exactly the sort of detail that developers often forget or flub, with disastrous results.
--Tim Farley
SPI Dynamics
Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.
http://msdn.microsoft.com/library/en-us/cpref/html/frlrfsystemwebuipagec
lassviewstateuserkeytopic.asp
Of course, it is up to the individual web page developer to ensure an appropriate non-trivial value has been placed into this property. As we all know, this is exactly the sort of detail that developers often forget or flub, with disastrous results.
--Tim Farley
SPI Dynamics
Start Secure. Stay Secure.
Security Assurance Throughout the Application Lifecycle.
[ reply ]