How to protect view state from tampering when it's passed over an unencrypted channel ?

  1. In Page directive set EnableViewStateMac="true"

  2. In Register directive set EnableViewStateMac="true"

  3. In web config set Protectviewstate="true"

  4. In IIS set Viewstate protection.


Correct Option: A

AI Explanation

To protect the view state from tampering when it's passed over an unencrypted channel, you can enable the ViewStateMac (Message Authentication Code) by setting the EnableViewStateMac attribute to "true" in the Page directive.

Let's go through each option to understand why it is correct or incorrect:

Option A) In Page directive set EnableViewStateMac="true" - This option is correct because enabling the ViewStateMac adds a MAC to the view state, which ensures its integrity and prevents tampering. The MAC is checked on the server-side when the view state is received, and if it doesn't match, an exception is thrown.

Option B) In Register directive set EnableViewStateMac="true" - This option is incorrect because the Register directive is not used for enabling the ViewStateMac. It is used for registering custom server controls on the page.

Option C) In web config set Protectviewstate="true" - This option is incorrect because the Protectviewstate attribute in the web.config file is used to enable or disable view state encryption, not MAC protection. Enabling view state encryption ensures that the view state data is encrypted before being sent to the client.

Option D) In IIS set ViewState protection - This option is incorrect because there is no specific ViewState protection setting in IIS. ViewState protection is implemented at the application level, usually within the application code or configuration.

The correct answer is A) In Page directive set EnableViewStateMac="true". This option is correct because enabling the ViewStateMac in the Page directive adds a MAC to the view state, ensuring its integrity and preventing tampering.

Find more quizzes: