Re: __VIEWSTATE encoding

Andre,

These are the relevant bits of POST data from your original message:

1st sample:
> __VIEWSTATE=0000WAUHA5F1L

2nd sample:
> __VIEWSTATE=%2FwEPDwUJMjM0ODU1MzMxD2QWAgIDD2QWCm  ... [continues for much
longer]

BOTH of these are encoded, according to the content-type:
> Content-Type: application/x-www-form-urlencoded

In the first example, there are no characters which need to be escaped, so
the encoded value is the same as the unencoded value. In the second example,
at least the first character was escaped -- %2F is the encoding of a slash
("/") character.

If you want a standard to read, try section 2.3 of RFC 3875 (CGI 1.1), or
section 2.4 of RFC 2396 (URI syntax). The issue is really about HTML forms,
though, rather than HTTP.
http://www.w3.org/TR/html401/interact/forms.html#h-17.13.4 has the
definitive answer from the HTML side.

The short answer, though, is that the POST data should ALWAYS be encoded,
and you should run whatever you receive through a urldecode function before
using it.

Regards,
Ian Clelland

On Sun, Mar 23, 2008 at 8:38 PM, Andre Kirchner <supercroc1974@yahoo.com>
wrote:

>
> I was tapping my browser POST messages to a calendar, and noticed that the
> first message has an uncoded __VIEWSTATE, while the next messages seem to
> have it encoded (See bellow). How can a web server know that if a message
> has its __VIEWSTATE encoded or not? Because I didn't find anything in the
> headers about it. Would it be that a encoded message starts with "%2F", and
> an uncoded one not? Is there a RFC about it, if so which one?
>
>