Skip to main content




Applies only to Web Apps

Encrypt web apps view state

The view state is used by the OutSystems underlying technology for traditional web applications (ASP.NET). This mechanism is used to preserve the client-side state of a web page when a postback occurs. The view state stores the values and controls of the page between requests.

The view state is a hidden field in the HTML of the web page. Its value property stores the view state encoded information. It's a good practice to encrypt the view state and avoid using it to store sensitive information.


Check the Microsoft documentation for more information about the view state.

Encrypting the view state using Factory Configuration

Because a page's view state can contain sensitive information (such as the inputs a user added on a form) it's a good practice to encrypt the view state. It’s possible to encrypt the view state using the supported Forge component Factory Configuration:

  1. Install Factory Configuration in the environment you wish to encrypt the view state.

  2. Open it on the browser and login using your LifeTime/Service Center credentials.

  3. Navigate to the Platform Configurations tab and make sure Encrypt Viewstate is ticked. For an extra level of protection, the option Use Session Token to Encrypt View State will include the value of the session cookie osVisitor in the encrypted view state. This ensures that, in each user session, every requested page is only valid in the context of that same user session.

    Factory Configuration

  4. Apply the settings to all modules.

  • Was this article helpful?