Hi Guys,

Please help me!

I am helping out on a webiste www.informationcommissioner.gov.uk (http://www.informationcommissioner.gov.uk ) and have been told that the homepage contains 124k worth of .NET Viewstate which I am told is effecting the amount of time it takes for the website to upload.

Please could someone take a look at the website and have a look at the viewstate .net Scripting because I am no the best in this area.

Thanks Guys

Dylan

Sure,

For a link from the pages :)

Seriously though pal, if what you're saying is true (and I've no reason to think otherwise) then I am unsure if the UK Gov would be happy with you asking on a public forum about code that will be running the site.

As a Brit, I'm not sure I am happy with the security implications!

As the site is to do with Data and its protection and accessability I am sure this thread alone could become front page news!

Hi,


Thanks for email. Yes I do work for the Gov, but I am in a position where I am able to share some information, but a lot of it I can not. I regard my question and the fact about the website no-sensitive information - that can be shared.

Now, can anyone please provide me with some information regarding my question. I would be very grateful

thanks

Gareth

Gareth,

If you want some help give me a call. Contact details on website, accessable via profile.

As someone who (indirectly) pays your wages what could happen if the wrong person advised you scares me!

Dylan, this is an issue you should deal with but it is actually quite simple - and, I don't see any security issues with this (or anything yo told so far). Basically, you want to remove the viewstate code from all pages possible as it takes up an awfull lot of space in the beginning of each document - so much that there is a risk search engine spiders will never get down to the real content. And even of they they may judge it as less relevant because it is burried so deep.

As default .NET uses the viewstate to maintain state in a steteless enviroment. However, for most parts of your web application you probably don't need to maintain state - you only need it for log-in areas, shoping cards etc - places where you need to be able to "hold on" to the user (for example, so users don't end up putting each others products in the same shopping basket)

So, the first thing you should do is find out if you need to maintain state at all and if you do what directories or files it is needed for.

In the config file you can disable view state on a directory level, and I believe on a file level too (but not 110% sure). It's just a few lines of code - done ain a few second by a programmer that knows your .NET installation.

Please let me know if you have any additional questions

I don't see any security issues with this


I believe the security issue is one of an employee publicly asking for assistance and stating the assistance is for a Govt. website.

Social engineering, to win the person's confidence along with potentially "nasty" replacement code being offered as the answer to the problem is were I see a huge security hole.

Even in my most paronoid mood I can't see that at all. All we are talking about in this case is simple config file change to adjust viewstate.

Now let's get back on topic. If you want to discuss security issues further I suggest you open a seperate thread for it :)

Granted he shouldn't have mentioned what site this was for but other than that, don't see the problem. Not like he showed any code for the page, he was asking about reducing viewstate.

To answer your question, I would turn off viewstate on a control by control basis - although adding bloat, sometimes viewstate is very helpful to have. Trim it but don't get rid completely.

Hi everyone,

You are right it is not as if I showed you all the coding bekloning to hte GOV website.

I would like to thank you all for your comments. I am still trying to get my head around all this .net viewstate business.

I hope you will all be able to assist me on future questions. Thank you all.