A good article on ViewState that I found through weblogs on MSDN- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnaspnet/html/asp11222001.asp Especially the section on the ViewState vs. SessionState.. Session state is protected because it remains on the server's side, however viewstate bounces back to the client. Encryption (its only base64 encoded by default, which is essentially clear text) and tamper proofing definitely has a performance hit so the inclination is going to be turn it off. Who'd ever think to tamper with the viewstate? ;-) http://www.pluralsight.com/tools.aspx