ASP.NET View State
View State is the method to preserve the Value of the Page and Controls between round trips. It is a Page-Level State Management technique. View State is turned on by default and normally serializes the data in every control on the page regardless of whether it is actually used during a post-back.Please keep in mind though, that while cookies and sessions can be accessed from all your pages on your website, ViewState values are not carried between pages.
Contents
Points of ViewState
- ViewState does not hold the controls, rather it holds the values of the form controls and their corresponding ID's that would otherwise be lost due to a post back because they do not post with the form.
- ViewState is not used to hold session data or to transmit data between pages.
- ViewState does not recreate the dynamically created controls of a page.
- It does not restore the values to the controls after a post back operation.
- ViewState for a control is disabled, still the value would be retained after a post back of the page occurs, for input controls like TextBox or DropDownList.
So, ViewState represents the state of a page when it was last processed on the web server. It holds the values of a control that has been dynamically changed.
How does ViewState work?
When the page is first created all controls are serialized to the ViewState, which is rendered as a hidden form field named __ViewState. This hidden field corresponds to the server side object known as the ViewState. ViewState for a page is stored as key-value pairs using the System.Web.UI.StateBag object. When a post back occurs, the page de-serializes the ViewState and recreates all controls. The ViewState for the controls in a page is stored as base 64 encoded strings in name - value pairs. When a page is reloaded two methods pertaining to ViewState are called, namely the LoadViewState method and SaveViewState method. The following is the content of the __ViewState hidden field as generated for a page in my system.
ViewState can be enabled and disabled in any of the following ways
Control Level
To disable ViewState for a single control on a page, we need to set the EnableViewState property of the control to false:
<asp:DropDownList ID="DropDownList1" runat="server" EnableViewState="false"> </asp:DropDownList>
Page Level
To disable ViewState for a single page, set the EnableViewState attribute in the @ Page directive to false:
<%@ Page Title="Home Page" Language="C#" EnableViewState="false" %>
We can also disable it by adding code in Class file of the page.
private void Page_Init(object sender, System.EventArgs e)
{
this.EnableViewState = false;
}
Application Level
To disable ViewState for a specific application, use the following element in the Web.config file.
<configuration>
<system.web>
<pages enableViewState="false" />
</system.web>
</configuration>
If you decide later that you need the ViewState for a specific page then you can turn it back on for just that page using a <location> element.
<configuration>
<system.web>
<pages enableViewState="false" />
</system.web>
<location path="ActivePage.aspx">
<system.web>
<pages enableViewState="true" />
</system.web>
</location>
</configuration>
Machine Level
To disable ViewState for all applications on a Web server, configure the <pages> element in the Machine.config file.
<Machine.config >
<system.web>
<pages enableViewState="true" />
</system.web>
</Machine.config>
Saving and Restoring Values to and from the ViewState
We can add any object or Primitive types to ViewState by following statements:
ViewState["key"] = obj; //Some Code obj = ViewState["key"];
Performance Issues
For a better performance in page rendering the size of the ViewState for a page should be minima. Remember that the data in the ViewState makes a round trip and incurs more network bandwidth usage. So, ViewState should always be used carefully. For pages and controls that do not require a post back at all, set the EnableViewState property of the page or the control of the page to false. Note: that only controls contained within a <form runat=server> tag in the .aspx page can store ViewState
Security Issues
For security measures (to ensure that the ViewState is not tampered) one of the following two measures can be adopted.
- EnableViewStateMac property
- Encryption of ViewState content
The EnableViewStateMac property ensures a Machine Authentication Check (MAC). This should be set at the page level or in the application’s web.config file. When set, this property appends a hash code to the ViewState before rendering. Whenever a post back occurs, this hash code is recalculated and checked with the one that is stored in the __ViewState hidden field of the form. It they do not match, the page is rejected, thus ensuring that the ViewState is not tampered.
To encrypt the contents of the ViewState, use the following in the machine.config file.
<machineKey validation = "3Des" />
or
< machineKey validation="SHA1"/>
