Question Mark and the Mysterians (which leads to) __VIEWSTATE



  • OK, that subject line is a bit cryptic, but I was just curious about something. If this has been talked to death before, sorry.

    I was noticing on the front page an ad for SnagIt 8 which had question marks in front of the product's feature descriptions:


    Ah, I thought, that annoying '?' when the page doesn't specify the right charset in the HTML page. So I thought I would look at the source to see what they had specified. Well, the ad is served by JavaScript and I didn't want to take time to run it down, but instead I found this (I'm not even going to trust the forum software, sticking w/ pictures):


    And it goes on for a while. For me, not just a WTF but a WHIT (What the Heck Is It?). Something to do with .NET, right? What is this thing?



  • The VIEWSTATE is a base-64 encoded binary serializtion of the state of controls on the page. Think of it like input type=hidden on steroids multiplied by 50.

    It contains everything from the original text of the Subject Textbox (so it can trigger the OnTextChanged event on the control) to the items in a drop down list.

    It can get to be pretty fat though. When I develop ASP.NET pages, I make sure to watch that it's not getting out of had. As it turns out, people over a network (inter or intra) can't get the content as fast as http://localhost can



  • How is it helpful?



  • It makes it a lot less painful to manage state. Controls (by default) will dump their properties in the view state, so the property (be it Background color, Enabled) will persist through POSTs.



  • Is there any advantage over using sessions to manage the state on the server side?



  • @masklinn said:

    Is there any advantage over using sessions to manage the state on the server side?



    Scalability?



  • @ammoQ said:

    @masklinn said:

    Is there any advantage over using sessions to manage the state on the server side?



    Scalability?

    Mmmm using viewstates means that you replace the memory taken wherever you store your session data (which would be FS file, memcached or DB) with a big bunch of extra bandwith, parsing of base64 encoded data and reinitialisation of the various objects. Plus the fact that your viewstate data could very well have been modified by the client and is therefore tainted and untrusted, while session data are by definition trusted and untainted.

    I'm not sure it'd be a huge gain if a gain at all.



  • @masklinn said:

    Is there any advantage over using sessions to manage the state on the server side?

    Big problem with server-side session mgmt is the back button. that can really screw you up.



  • @masklinn said:

    @ammoQ said:
    @masklinn said:

    Is there any advantage over using sessions to manage the state on the server side?



    Scalability?

    Mmmm using viewstates means that you replace the memory taken wherever you store your session data (which would be FS file, memcached or DB) with a big bunch of extra bandwith, parsing of base64 encoded data and reinitialisation of the various objects. Plus the fact that your viewstate data could very well have been modified by the client and is therefore tainted and untrusted, while session data are by definition trusted and untainted.

    I'm not sure it'd be a huge gain if a gain at all.



    That's right, but it probably depends on your users and their habbits. A well-visited forum like this can have thousands of users, which at some (unpredictable) point decide to close the browser window. How long do you keep sessions alive? On the other hand, an online-banking application can be made relatively strict, dropping sessions after a few minutes of inactivity - and of course, a online-banking app has to be much more carefull about safety concerns, untainted data and stuff.
    Bandwith is of course an issue, but on the other hand, it's much easier to do load balancing and fail-over if there are no sessions you have to share between the servers. Parsing is hardly a problem with todays computers, unless you do it in PL/SQL ;-)

Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.