I've got an ASP.net web forms application. I'm trying to work through some security issues with it. Previously the developers before me had disabled MAC on the viewstate. I'm trying to reenable it.
The problem I'm having is that I have pages enableViewState="true", enableViewStateMac="true" and also a machineKey entry
in my web.config to do this globally, but the security tools I'm using are still reporting an unhashed viewstate. I've searched the entire solution for any references to EnableViewStateMac in case there were page level directives turning it off and I'm not coming up with any.
So my question is this, what other ways/reasons would the application level directive not work?