[Factory Configuration] Disable Viewstate Decryption

Forge Component
(23)
Published on 31 Jul (6 days ago) by OutSystems R&D
23 votes
Published on 31 Jul (6 days ago) by OutSystems R&D

Hi,


There is this decrypt viewstate setting which i assume to be used to set it to plain text, but does not seems to work. 


Can advice what is the expected behavior if it is working? We are trying to see if by not encrypting, does it help the system to be faster?


Hi,

I've experimented with that setting in the past, to try to understand the content of the viewstate, and my results were that in fact it is not working. I couldn't get to have a not encrypted viewstate.


Having said that, even if it was working, what you are trying to achieve (have the system perform faster) must not be done through this "workaround" to not encrypt the viewstate because there is a reason why the viewstate is encrypted: it contains the state of the request and if the user could change the state then more or less it could do whatever he wanted to change the behavior of the application, and security would be compromised.

It is the same thing as knowing that HTTPS has a bit of overhead because of the encryption and to make the system perform faster we would turn off HTTPS falling back to HTTP.

--Tiago Bernardo