Rediger

Del via


CA5368: Set ViewStateUserKey For Classes Derived From Page

Property Value
Rule ID CA5368
Title Set ViewStateUserKey For Classes Derived From Page
Category Security
Fix is breaking or non-breaking Non-breaking
Enabled by default in .NET 9 No

Cause

The Page.ViewStateUserKey property is not assigned in Page.OnInit or the Page_Init method.

Rule description

When designing an ASP.NET Web Form, be mindful of cross-site request forgery (CSRF) attacks. A CSRF attack can send malicious requests from an authenticated user to your ASP.NET Web Form.

One way of protecting against CSRF attacks in ASP.NET Web Form is by setting a page's ViewStateUserKey to a string that is unpredictable and unique to a session. For more information, see Take Advantage of ASP.NET Built-in Features to Fend Off Web Attacks.

How to fix violations

Set the ViewStateUserKey property to a unpredictable and unique string per session. For example, if you use ASP.NET session state, HttpSessionState.SessionID will work.

When to suppress warnings

It's safe to suppress a warning from this rule if:

  • The ASP.NET Web Form page does not perform sensitive operations.
  • Cross-site request forgery attacks are mitigated in a way that this rule doesn't detect. For example, if the page inherits from a master page that contains CSRF defenses.

Suppress a warning

If you just want to suppress a single violation, add preprocessor directives to your source file to disable and then re-enable the rule.

#pragma warning disable CA5368
// The code that's violating the rule is on this line.
#pragma warning restore CA5368

To disable the rule for a file, folder, or project, set its severity to none in the configuration file.

[*.{cs,vb}]
dotnet_diagnostic.CA5368.severity = none

For more information, see How to suppress code analysis warnings.

Pseudo-code examples

Violation

using System;
using System.Web.UI;

class ExampleClass : Page
{
    protected override void OnInit (EventArgs e)
    {
    }
}

Solution

using System;
using System.Web.UI;

class ExampleClass : Page
{
    protected override void OnInit (EventArgs e)
    {
        // Assuming that your page makes use of ASP.NET session state and the SessionID is stable.
        ViewStateUserKey = Session.SessionID;
    }
}