Validation of viewstate MAC failed
53 views
Skip to first unread message
zachariahyoung
May 20, 2009, 12:07:13 AM5/20/09
to S#arp Architecture
For some reason I'm getting the following error when I pull the
following URL up. http://www.virtualaltnet.com/van/Recordings I have
changed the config in web.config to the following <pages
validateRequest="false" enableEventValidation="false"
viewStateEncryptionMode ="Never"> and it does not change anything.
The strange thing about it is I only get this error in FireFox 3.5 and
3.0 on Windows 7. Internet 8 and Flock works fine on Windows 7. But
when I'm in Internet 7 on Vista I get a JavaScript error.
Just wondering if anybody else has seen this or can explain why
different OS and browser behave differently.
Also this site is hosted on Godaddy which should not be in a farm.
following URL up. http://www.virtualaltnet.com/van/Recordings I have
changed the config in web.config to the following <pages
validateRequest="false" enableEventValidation="false"
viewStateEncryptionMode ="Never"> and it does not change anything.
The strange thing about it is I only get this error in FireFox 3.5 and
3.0 on Windows 7. Internet 8 and Flock works fine on Windows 7. But
when I'm in Internet 7 on Vista I get a JavaScript error.
Just wondering if anybody else has seen this or can explain why
different OS and browser behave differently.
Also this site is hosted on Godaddy which should not be in a farm.
Jonathan Parker
May 20, 2009, 12:26:26 AM5/20/09
to sharp-arc...@googlegroups.com
Billy
May 20, 2009, 7:29:08 AM5/20/09
to S#arp Architecture
Hi Zach,
I've encountered the error your reporting. The env't in which we
encountered it was using IIS 6 with a * wildcard mapping added. I
tried adding all the settings you've done without any luck. Frank
Laub, who is a contributor for this project, spent some time looking
into it and has proposed that if I modify the said application to
use .mvc page extensions and get rid of the wild card mapping, that
that could remedy the situation. I have not been able to try out the
proposed solution yet, but I certainly look forward to doing so.
Do you know if your site is hosted on IIS 6 with a * wildcard, IIS 6
with .mvc extensions, or IIS 7?
Billy
I've encountered the error your reporting. The env't in which we
encountered it was using IIS 6 with a * wildcard mapping added. I
tried adding all the settings you've done without any luck. Frank
Laub, who is a contributor for this project, spent some time looking
into it and has proposed that if I modify the said application to
use .mvc page extensions and get rid of the wild card mapping, that
that could remedy the situation. I have not been able to try out the
proposed solution yet, but I certainly look forward to doing so.
Do you know if your site is hosted on IIS 6 with a * wildcard, IIS 6
with .mvc extensions, or IIS 7?
Billy
zachariahyoung
May 20, 2009, 8:13:52 AM5/20/09
to S#arp Architecture
I'm using IIS 7's integrated pipeline mode on godaddy. The funny
thing now is that I did clear history in FireFox and now I'm not
getting the error. But I'm still getting the javascript errors in IE
7.
thing now is that I did clear history in FireFox and now I'm not
getting the error. But I'm still getting the javascript errors in IE
7.
zachariahyoung
May 20, 2009, 8:14:56 AM5/20/09
to S#arp Architecture
Jonathan
I tried setting the following <pages validateRequest="false"
enableEventValidation="false" viewStateEncryptionMode ="Never"> but
these setting did not change anything. After I cleared my cache it is
not working.
Thanks
Zach
On May 19, 11:26 pm, Jonathan Parker <jonathanparkerem...@gmail.com>
wrote:
> This link might helphttp://www.dotneat.net/2008/12/13/ASPNETMVCValidationOfViewstateMACFa...
I tried setting the following <pages validateRequest="false"
enableEventValidation="false" viewStateEncryptionMode ="Never"> but
these setting did not change anything. After I cleared my cache it is
not working.
Thanks
Zach
On May 19, 11:26 pm, Jonathan Parker <jonathanparkerem...@gmail.com>
wrote:
> This link might helphttp://www.dotneat.net/2008/12/13/ASPNETMVCValidationOfViewstateMACFa...
Dfects
May 20, 2009, 9:50:48 AM5/20/09
to S#arp Architecture
Hmm adding EnableViewStateMac="false" to the <%@ Page... should fix
this, but I'd be more concerned about the cause. You're not executing
any funny javascript on the page that may be tampering with things? Or
leaving the page to idle for long periods before submitting?
Disabling it can add some security vulnerabilities. More info here:
http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableviewstatemac.aspx
I have to disable it on one of the pages in my add that accepts form
posts from an external source, but is tightly secured anyway.
this, but I'd be more concerned about the cause. You're not executing
any funny javascript on the page that may be tampering with things? Or
leaving the page to idle for long periods before submitting?
Disabling it can add some security vulnerabilities. More info here:
http://msdn.microsoft.com/en-us/library/system.web.ui.page.enableviewstatemac.aspx
I have to disable it on one of the pages in my add that accepts form
posts from an external source, but is tightly secured anyway.
Frank
May 20, 2009, 12:33:38 PM5/20/09
to S#arp Architecture
Here's a wild guess, comment all your <%= Html.AntiForgeryToken() %>
in your views and your [ValidateAntiForgeryToken] on your controllers.
If this works, it implies a few things:
1) The Anti-Forgery Token is implemented using Viewstate, along with a
MAC check.
2) The web.config settings for viewstate are ignored by the Anti-
Forgery Token code.
I don't know anything more past this. It seems very hard to reproduce
this issue on other deployments. My wildcard mapping theory was just a
guess but I don't have any conclusive evidence to support it.
-Frank
in your views and your [ValidateAntiForgeryToken] on your controllers.
If this works, it implies a few things:
1) The Anti-Forgery Token is implemented using Viewstate, along with a
MAC check.
2) The web.config settings for viewstate are ignored by the Anti-
Forgery Token code.
I don't know anything more past this. It seems very hard to reproduce
this issue on other deployments. My wildcard mapping theory was just a
guess but I don't have any conclusive evidence to support it.
-Frank
Billy
May 20, 2009, 12:43:53 PM5/20/09
to S#arp Architecture
You might be on to something there Frank. A little googling about
that uncovered the following: http://forums.asp.net/t/1388671.aspx
For the env't that we've seen this problem, we're running multiple
sites on the same server, some of which are using pre-RTM MVC
version. I wonder if the cookies from the non-RTM MVC versions are
causing the problem.
Zach, can you confirm if you're using only MVC 1.0 on the deployment
server or is it possible that there are previous version of MVC
installed as well?
Billy
that uncovered the following: http://forums.asp.net/t/1388671.aspx
For the env't that we've seen this problem, we're running multiple
sites on the same server, some of which are using pre-RTM MVC
version. I wonder if the cookies from the non-RTM MVC versions are
causing the problem.
Zach, can you confirm if you're using only MVC 1.0 on the deployment
server or is it possible that there are previous version of MVC
installed as well?
Billy
zachariahyoung
May 20, 2009, 11:40:20 PM5/20/09
to S#arp Architecture
Billy,
This is my current code. I'm using the Latest revision (r459)
template to build my code. I have version 1 of MVC and I removed the <
%= Html.AntiForgeryToken() %> . I will see if that works
<%@ Page Title="Recordings" Language="C#" MasterPageFile="~/Views/
Shared/Site.Master" AutoEventWireup="true"
Inherits="System.Web.Mvc.ViewPage<IEnumerable<van.Core.Recording>>"
%>
<%@ Import Namespace="van.Core" %>
<%@ Import Namespace="van.Web.Controllers" %>
<asp:Content ContentPlaceHolderID="HeadContentPlaceHolder"
runat="server">
<script language="javascript" type="text/javascript">
SharpJs.RecordingsData = <%=
Newtonsoft.Json.JsonConvert.SerializeObject(ViewData.Model) %>;
</script>
<script type="text/javascript" src="<%= ResolveUrl("~") %>Scripts/
ViewScripts/Recordings/ListRecordings.js"></script>
</asp:Content>
<asp:Content ContentPlaceHolderID="MainContentPlaceHolder"
runat="server">
<h1>Recordings</h1>
<% if (ViewContext.TempData
[ControllerEnums.GlobalViewDataProperty.PageMessage.ToString()] !=
null) { %>
<p id="pageMessage" class="fade page-message"><%=
ViewContext.TempData
[ControllerEnums.GlobalViewDataProperty.PageMessage.ToString()]%></p>
<% } %>
<p id="dynamicMessage" class="page-message" style="display:none"></
p>
<div id="divRecordingsGrid"></div>
<%= Html.AntiForgeryToken() %>
</asp:Content>
This is my current code. I'm using the Latest revision (r459)
template to build my code. I have version 1 of MVC and I removed the <
%= Html.AntiForgeryToken() %> . I will see if that works
<%@ Page Title="Recordings" Language="C#" MasterPageFile="~/Views/
Shared/Site.Master" AutoEventWireup="true"
Inherits="System.Web.Mvc.ViewPage<IEnumerable<van.Core.Recording>>"
%>
<%@ Import Namespace="van.Core" %>
<%@ Import Namespace="van.Web.Controllers" %>
<asp:Content ContentPlaceHolderID="HeadContentPlaceHolder"
runat="server">
<script language="javascript" type="text/javascript">
SharpJs.RecordingsData = <%=
Newtonsoft.Json.JsonConvert.SerializeObject(ViewData.Model) %>;
</script>
<script type="text/javascript" src="<%= ResolveUrl("~") %>Scripts/
ViewScripts/Recordings/ListRecordings.js"></script>
</asp:Content>
<asp:Content ContentPlaceHolderID="MainContentPlaceHolder"
runat="server">
<h1>Recordings</h1>
<% if (ViewContext.TempData
[ControllerEnums.GlobalViewDataProperty.PageMessage.ToString()] !=
null) { %>
<p id="pageMessage" class="fade page-message"><%=
ViewContext.TempData
[ControllerEnums.GlobalViewDataProperty.PageMessage.ToString()]%></p>
<% } %>
<p id="dynamicMessage" class="page-message" style="display:none"></
p>
<div id="divRecordingsGrid"></div>
<%= Html.AntiForgeryToken() %>
</asp:Content>
Reply all
Reply to author
Forward
0 new messages