Part of the
You Can Learn ASP.Net and C# series.
By Ken Brown
Updated: February 12, 2005
This is a continuation of an article on client side state management. This
section will discuss hidden fields and ASP.Net viewstate.
The next client side state management technique for ASP.Net is hidden fields.
Hidden fields have been around for a long time. This is where you place a text
field control on your html page. Then you set the control to hidden. That means
that your user cannot see the control or its value on the page when the page
loads. It is sitting silently in the background undetected. Well, not exactly.
Hidden fields are not displayed on the web browser, but if you view source, you
can see both the hidden field and it's value. Not very secure. They do allow
you to post information to other pages, or back to the same page.
The disadvantages of hidden fields?
So even though hidden fields provide some value to your web page, there are
still serious limitations that have to be overcome to make it viable as a safe
and secure way to store sensitive data from your app.
Increases the HTML size of the page.
You still cannot store structured data
Because you can view page of an HTML page, there is no security
There is no way to persist the data
Next on our list of client side state management methods is Viewstate.
This is an ASP.Net tool that allows you to maintain the state of your controls
like textbox and listbox across page postbacks.
Viewstate has advantages the other 3 methods don't have. One of the most
important is the ability of viewstate to support structured data. This means
that control values are maintainable across page postbacks.
Using viewstate can be easy for nonpostback controls.
//use a keyvalue pair to save an object to viewstate.
ViewState["sName"] = strName;
//Then to retrieve viewstate you have to convert to the object type
//by unboxing the object using an explicit conversion.
sRetrieve = (string) ViewState["sName"];
Disadvantages of viewstate
Even though the viewstate data is encrypted, it would be easy to hack the
encrypted data. So you still don't want to save connection strings, passwords
or credit card information in viewstate. The really cool thing about viewstate
is it's ability to save structured data. Makes it very valuable to pass
structured data back to itself on a page instead of going back to the database
and re-retrieving the info or recreating the information each time.
The more controls you have on the form the larger the size of viewstate and the
larger the size of the HTML you send back and forth to the server.
Only works when pages postback to themselves.
You can't persist data to other pages.
Since viewstate is saved as HTML, ASP.Net gives you the ability to disable
viewstate for individual controls, for entire pages, for an entire application
and even for an entire machine. Very powerful.
For an individual control, just change the EnableViewState property to false to
disable the control's viewstate. When a page doesn't postback to itself,
meaning it is always sent to a new page, you can disable the page viewstate by
addding a page directive.
<%@ Page EnableViewState="false" %>
At the application level you turn off view state in the web.config file. By
disabling viewstate here, you disable the ability of any page to postback to
itself and remember it's control's values.
<pages enableViewState="false" >
So, to summarize, there are 4 types of client side state management techniques.
You can use querystrings, hidden fields, cookies and viewstate. They all have
their advantages and disadvantages. You have to weigh the need to save the data
before you can choose the proper technique. If you want to save structured data
you have to choose viewstate. You want to persist data until the next time the
user comes to your site? Then your choice is cookies. You want to hide
information on a form and then send it to another site, then use hidden text
boxes. Send information to another page, use the querystring.
But, remember the limitations of all of them. They are all client side, and
they all have limited ability to secure data from the prying eyes of others. To
increase security use
Session state which is a server side state management technique.
Using client side state management techniques like cookies and querystrings.