Tom Ritter <t...@ritter.vg> writes: >What's weird is I find confusing literature about what *is* the default for >protecting the viewstate.
I still haven't seen the paper/slides from the talk so it's a bit hard to comment on the specifics, but if you're using .NET's FormsAuthenticationTicket (for cookie-based auth, not viewstate protection) then you get MAC protection built-in, along with other nice features like sliding cookie expiration (the cookie expires relative to the last active use of the site rather than an absolute time after it was set). I've used it in the past as an example of how to do cookie-based auth right Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com