Brief background: I have two-step login page, which after step 1 sends one-time code to user's email. I do not need this code anywhere except on step 2. I googled around and decided to store original code into Encrypted ViewState. So the question: is it security safe? is it possible to decrypt encrypted viewstate on client-side and get code from there? (of course, I mean truly encrypted viewstate, not just base64ed).
Its my understanding that ViewState is serialized into a base-64 encoded string using the MachineKey in machine.config. In order for the client (I am guessing javascript) to decode it wouldn't you have to expose the MachineKey? This would not be good at all.