According to MSDN and the MCTS self-paced training, asp.net can use Hidden fields for client-side state management. The book material goes on to say view-state is more secure than hidden fields because the data is encrypted.
I must be missing something here. I setup a Label and made it hidden. I can store data in this hidden label and it won’t even be sent to the client browser. This not only works like server side state (note the runat=server), but this seems more secure than view-state because there’s no need for encryption as the client can’t even see the field.
<asp:Label ID="Label1" Visible="false" runat="server">secret info</asp:Label>
Contrast this with an HTML input field. Here, the client state info makes sense.
<input id="Text2" type="text" style="visibility:hidden;" value="secret 99" />
So what’s the deal?
When you create a label in .net and set it’s visibility to Hidden, it does not render to the client and its data is stored in viewstate.
Therefore, it is not “more” secure than viewstate as it is using viewstate to maintain the data.
Regarding hidden fields, there are four kinds: First up is the regular HTML one which is simply an input of type hidden. This has no visible rendering although it is in the html. It also has no viewstate properties. It is declared as:
The second one is a regular input with a css property marking it as hidden: If CSS is disabled or otherwise overriden then the control would be visible to the user. Other than that its pretty close to the same thing as a type=’hidden’.
The third one is the .Net hidden field. This does has viewstate storage, but it also causes a regular hidden field to be generated in the html.
And, the fourth one is a regular .net text box that is marked as not-visible.
The .net ones will cause data to be placed in viewstate. The HTML ones do not. If you set Visible=False on a .Net control then it is not rendered to the client however it’s data is typically stored in viewstate.
There are other ways of throwing data into the page, but they are derivations of the above.
Generally speaking if you have a value that your javascript code needs but you don’t need to display it to the client then you use a hidden field (html or .net). If you have a secret value then typically you don’t want this to go to the client side if at all possible. And that means even keeping it out of viewstate. As a side note, don’t depend on viewstate “security’ there are tools out there which will easily decrypt it.