"ViewStateUserKey is not a completely effective mitigation against
Cross-Site Request Forgery. It doesn’t work for non post-backs (I.e.
GET requests), and it doesn’t work if the ViewState MAC is turned off.
In several
different
places,
we see a piece of advice repeated – use the ViewStateUserKey property
to prevent One-Click Attacks. Often, this piece of advice is
accompanied by the following code:
void Page_Init(object sender, EventArgs e)
{
ViewStateUserKey = Session.SessionID;
}
What exactly does this code do? To understand it, we
first need to look at the ViewState mechanism itself. The ViewState is
an ASP.NET mechanism used to persist the value of web controls between
post-backs. This allows a lot of the drag and drop, UI-driven ASP.NET
architecture to function "auto-magically" by serializing and
de-serializing data automatically on the fly.
The ViewState is encoded and stored as a hidden field. This introduces
security issues, because the value is under the control of the client.
There may be a value stored in a field that you do not want someone to
see and modify, like an admin-only control with the visible property
set to false."
Read more of this article:
http://keepitlocked.net/archive/2008/05/29/viewstateuserkey-doesn-t-prevent-cross-site-request-forgery.aspx