There are two reasons why it is desirable to do so. The first is for letting search engines see more of your content rather than the big portion of ViewState many sites have. The other is perceived rendering time, which means that the content loads faster because it renders before the ViewState while the total rendering time remains the same. That will decrease the load time of your website’s content.

Techniques to move the ViewState to the bottom of the WebForm has been published many times before. What I wanted was adding the functionality to an HttpModule. The technique to move the ViewState is borrowed from Scott Hanselman while the HttpModule implementation is my own. As Scott writes, it is a very low impact technique (0.000995 second) even though it hasn’t been fully tested for a variety of scenarios.

The goal I’m trying to achieve is to build a reusable component that has 100% plug ‘n play capabilities. That’s where the HttpModule comes in. You can just drop it into any existing website without changing any code.

I see no reasons why not to move the ViewState to the bottom, which makes me believe that Microsoft should have done that by default in the first place.

Implementation

Download the ViewstateModule.cs below and put in the App_Code folder of your website. Then add these lines to the web.config and you’re ready to go.

<httpModules>

  <add type="ViewstateModule" name="ViewstateModule" />

</httpModules>

Download

ViewstateModule.zip (1,06 KB)

On a website with the ability for users to logon, it is a good idea to have some sort of password policy. The most widely used contains minimum requirements for the length of the password and that the individual characters must be a mixture of numbers, letters and special characters. This is pretty much standard and they make it much more difficult to break into your system.

Eventually, these passwords will be broken and for a brute force robot it’s only a matter of time. That’s why it is a good idea to protect against brute force attacks by limiting the number of retries you can take to login if you forget the right password.

I’ve written a few methods that limits the number of retries to 5. When the fifth bad attempt to logon is reached, you are unable to login to the user account for five minutes. No other users are affected, only the one that is being brute forced.

The Code

private int NumberOfLogonAttemps()

{

  if (Cache[txtUserName.Text] == null)

    return 0;

 

  return (int)Cache[txtUserName.Text];

}

 

private void ClearLogonCounter()

{

  if (Cache[txtUserName.Text] != null)

  {

    Cache.Remove(txtUserName.Text);

  }

}

 

private void CountLogonAttempt()

{

  if (Cache[txtUserName.Text] == null)

  {

    Cache.Insert(txtUserName.Text, 1, null, Cache.NoAbsoluteExpiration, TimeSpan.FromMinutes(5));

  }

  else

  {

    int tries = (int)Cache[txtUserName.Text];

    Cache[txtUserName.Text] = tries + 1;

  }
}

Example of use

To use these three methods you have to call them from the logon buttons click event handler.

protected void BtnLoginClick(object sender, EventArgs e)

{

  CountLogonAttempt();

  if (NumberOfLogonAttemps() > 5)

  {

    Status.InnerHtml = "User has been locked for 5 minutes";

  }

  else

  {

    ClearLogonCounter();

    LogOn();

  }
}

This is very simple to implement and should it become an issue to logon for the users, you can raise the threshold to 10 retries.