Is including the SessionID even necessary if you are using encrypted ViewState? How could a malicious user generate a valid encrypted ViewState?
Un utente malintenzionato potrebbe generare un ViewState crittografato valido visitando la pagina in questione e estraendo il valore. Se l'ID sessione non fa parte del valore ViewState, questo valore sarà valido per tutte le sessioni.
Questo è anche menzionato nella pagina Microsoft Protezione dello stato di visualizzazione : -
Per-user View State Encoding
If your Web site authenticates users, you can set the ViewStateUserKey property in the Page_Init event handler to associate the page's view state with a specific user. This helps prevent one-click attacks, in which a malicious user creates a valid, pre-filled Web page with view state from a previously created page. The attacker then lures a victim into clicking a link that sends the page to the server using the victim's identity.
When the ViewStateUserKey property is set, the attacker's identity is used to create the hash of the view state of the original page. When the victim is lured into resending the page, the hash values will be different because the user keys are different. The page will fail verification and an exception will be thrown.
You must the ViewStateUserKey property to a unique value for each user, such as the user name or identifier.