PlaceHolder/Panel Visibility, ViewState on Security and Performance

It is not unusual to see a solution where use of asp:Placeholder and asp:Panel Visibility is employed to show/hide certain details from the user.

When implementing a simple Authorization/Permission features[more], it would also be tempting to use such approach. (mentioned simple since there are likely more complicated but better ways to do it) Of course you could always implement declarative authorization features in ASP.NET but I believe it would cause the user to be redirected to the page identified as the login url. (hmmm, does other authorization types support authorization rules? not sure myself, i wonder).

So if you simply perform checks in code.

eg. Does User.Indentity.Name have permission to view this page? Yes/No? If yes, display contents of panel/placeholder, if no set their visibility to false.

Simple and might do the trick.

BUT never forget that although they are invisible, some values might be present in the viewstate (eg. values bound to gridview inside the panel/placeholder). Although viewstate might look cryptic, remember that it is just base 64 encoded string. And although you could have employ encrypted ViewState, it would still be not a good idea and you will have unnecessary overhead.

So just a quick note to self (and possibly others) that settings PlaceHolder/Panel visibility to false doesn't stop it from saving information in viewstate. Obvious to some but not to all so if you're guilty, better fix that code before someone gets to see something they shouldn't.

I'm also interested how best to implement this in code (not using ASP.NET built-in declarative authorization rules – ie. in web.config). HttpModule maybe? But note that I would want the resulting page to have the same look and feel (still use master page) rather than simply a text in the page (and nothing more) or worst an exception throw because user doesn't have view permission for example, nor redirected to a generic page. I'll try to explore this but someone who might have a good idea out there comes across this and shares his/her notes.

UPDATE: Aside from the security consideration, note that disabling viewstate when not need could significant improve performance (dependent on how items you have in your page makes use of viewstate – eg. disabling view state when hiding a gridview is significant) so will be adding "Performance" to the title as well

Also, be cautious about disabling view state. It is used by control to
persist information across postbacks so if you do disable them make
sure you test your page well.