A Nice Save

Remy Porter

Computers were a mistake, which is why I'm trying to shoot them into space. Editor-in-Chief for TDWTF.

Since HTTP is fundamentally stateless, developers have found a million ways to hack state into web applications. One of my "favorites" was the ASP.NET ViewState approach.

The ViewState is essentially a dictionary, where you can store any arbitrary state values you might want to track between requests. When the server outputs HTML to send to the browser, the contents of ViewState are serialized, hashed, and base-64 encoded and dumped into an <input type="hidden"> element. When the next request comes in, the server unpacks the hidden field and deserializes the dictionary. You can store most objects in it, if you'd like. The goal of this, and all the other WebForm state stuff was to make handling web forms more like handling forms in traditional Windows applications.

It's "great". It's extra great when its default behavior is to ensure that the full state for every UI widget on the page. The incident which inpsired Remy's Law of Requirements Gathering was a case where our users wanted like 500 text boxes on a page, and we blew out our allowed request sizes due to gigundous ViewState because, at the time, we didn't know about that "helpful" feature.

Ryan N inherited some code which uses this, and shockingly, ViewState isn't the biggest WTF here:

protected void ValidateForm(object sender, EventArgs e)
{
    bool Save = true;

    if (sInstructions == string.Empty)
    {
        sInstructions = string.Empty;
    }
    else
    {
        Save = false;
    }
    if (Save)
    {...}
}

Let me just repeat part of that:

if (sInstructions == string.Empty)
{
    sInstructions = string.Empty;
}

If sInstructions is empty, set it to be empty. If sInstructions is not empty, then we set… Save to false? Reading this code, it implies if we have instructions we shouldn't save? What the heck is this sInstructions field anyway?

Well, Ryan explains: "sInstructions is a ViewState string variable, it holds error messages."

I had to spend a moment thinking "wait, why is it called 'instructions'?" But the method name is called ValidateForm, which explains it. It's because it's user instructions, as in, "please supply a valid email address". Honestly, I'm more worried about the fact that this approach is starting to make sense to me, than anything else.

View all 17 comments »

Featured Comments

viewState.comments = base64(comments.all) (unregistered) 2020-09-14

Honestly, view state is not a terrible idea. For a page or wizard-like set of pages where everything is user input, so there's no security issues, and the size of the form state is small, it means that the server can be genuinely stateless, and you avoid annoyances like your server session timing out so everything you entered on the previous five pages is gone.

A modern single-page app framework is actually doing something pretty similar, except it doesn't go back and forth to the server between actions because the entire system state just stays clientside.

The WTF is that it was never really explained and so people didn't understand what they were doing, and used it for inappropriate scenarios where a server-side session variable (with, maybe, a cache key in the view state) would be better.

//article title here » « This Could Break the Bank!