The application uses the ASP.NET 2.0 view state (__VIEWSTATE) feature without encryption
to maintain application state. The view state can be protected from tampering by using
either encryption or signing. If only signing is used (without encryption), then the internal
value of the view state parameter can be exposed simply by Base64-decoding it.
In a well-designed application, the view state should never contain any sensitive
information. However, application designers have been known to put passwords and
other sensitive data inside the view state. Therefore, it is a good idea to always
use view state encryption in ASP.NET applications.