Create ViewState-like Custom Hidden Fields

In ASP.NET, the ViewState collection reduces significantly the need for user-defined hidden fields. Whether you write a page or a control, the ViewState collection is always there for you to store data that survives the request and is available intact the next time the page is posted back.

The ASP.NET runtime takes care of collecting all persistent data from controls in the page and serialize them into a unique stream. On the way back, the same runtime does the reverse and deserializes the stream filling each controls ViewState collection.

Working with the view state is easy and secure because theres virtually no risk that you receive tampered data. If the content of the view state happens to be tampered with on the client, the ASP.NET runtime detects it and throws an exception. In addition, the data stored in the view state is also Base64 encoded providing for increased data confidentiality as well. So why should you go for custom hidden fields?

The view state support is optional and can be disabled for individual controls and pages. More importantly, enabling the view state is an application-level setting meaning that if you write a control (say, a third-party, commercial product) and rely on the ViewState collection you have no guarantee that your data is still there on each and every postback.

A good practice is insulating critical data in a custom hidden field that is always there, unless programmatically removed. However, an ordinary hidden field is plain text. The following code shows how to take your state object (typically, an array) and serialize it to a Base64 format, like the ViewState.

LosFormatter f = new LosFormatter();

StringWriter writer = new StringWriter();

f.Serialize(writer, state);

Page.RegisterHiddenField(YOUR_HIDDEN_FIELD,

      writer.ToString());

The LosFormatter class is an optimized formatter that also encodes to Base64 the array of bytes generated by the serialization process. To read data back when the page loads, you use the following code:

string ctlState;

ctlState = Page.Request.Form[YOUR_HIDDEN_FIELD];

if (ctlState == null)

    return;

LosFormatter f = new LosFormatter();

object state = f.Deserialize(controlState);

In this way, you have your hidden field contents scrambled as the viewstate. You wont get protected against data tampering. That feature must be coded separately. The easiest way is, calculate a hash on the hidden field and attach it to the contents. Once back, recalculate the hash on the current content and compare it to the old one.