posted on Tuesday, June 06, 2006 6:14 PM
by
thomasswilliams
Infrequent Validation of viewstate MAC failed Exceptions in ASP.NET 2.0 Site
I've been developing an ASP.NET 2.0 site for a couple of months now (which got released and used by 100+ people, with no major bugs...high five!)
Every so often, I see a strange error message coming through the logs that reads "Validation of viewstate MAC failed". I'm using a GridView control, bound to an ObjectDataSource, with EnableViewState turned off and DataKeyNames. After dropping into "web developer" mode - where I search the web for the answers to my development problems :-) - I found two helpful sites, at Jotekes Blog and the ASP.NET Forums, which addressed the problem.
It seems that in my case, the problem was occuring with pages that took a while to load, where users were clicking on an edit button in the GridView before the page had fully loaded. The error was raised because a hidden form INPUT necessary for ASP.NET's internal workings called "__EVENTVALIDATION" had not yet been rendered (and thus wasn't passed to the edit link).
I implemented the suggestion on Jotekes Blog and disabled event validation, and view state encryption:
<pages enableEventValidation="false" viewStateEncryptionMode ="Never" />
Making this change saved me some bytes in view state and totally removed the hidden "__EVENTVALIDATION" section at the bottom of the page. My understanding is that from a security standpoint, after making these changes, someone could attempt to POST to my page and I wouldn't be able to tell if the POST came from the same page (this is the event validation part). Also, someone could read the view state.
Given my environment - an internal network (intranet) using Windows authentication - I feel that the security implications of disabling encryption on the viewstate are pretty small. I used Fritz Onion's ViewState Decoder to check out what was contained in the viewstate for the GridView, and it was pretty much the ID's for the records, which were needed for edit and delete functionality. I don't believe that knowing a record identifier would be of much help to an insider on our network.
As for the event validation, I can't see much of a problem (although I can see that turning this off in a public-facing website would be a bad idea).
The advantage is that users can click on edit links in the GridView and start editing. The advantage is that users don't see exceptions, when trying to do their jobs.
Hopefully I'm not missing something!
Tags: viewstate, asp.net