[geocar]

Seaside[1] and (IIRC) arc[2] both do this too.

My understanding was that __ViewState was intended to be encrypted in production by setting something in machine.config[3].

[1]: https://en.wikipedia.org/wiki/Seaside_(software)

[2]: http://arclanguage.org/

[3]: https://docs.microsoft.com/en-us/previous-versions/dotnet/ar...

[needusername]

Hell no. Seaside captures the state server side, stores it under an id and sends that id to the client. The client sends the id of the state snapshot back to the server.