ViewState is not Encrypted
The ViewState is a hidden form input in ASP.NET pages which is used automatically to persist information such as non-default values of controls. It is also possible to store application data specific to a page in the ViewState. If the ViewState is not encrypted, anyone can see stored values in it.
Do not store sensitive values in the ViewState and enable encryption for it.
To enable ViewState encryption for the whole application, add the below lines to the
pages node under
system.web of the
<system.web> <pages viewStateEncryptionMode="Always" /> </system.web>
To enable encryption for a specific page add the below line at the top of the page:
<%@Page ViewStateEncryptionMode="Always" %>