asp.net ajax requires ViewStateEncryptionMode="Never"

Discussion in 'ASP .Net Web Controls' started by Trapulo, Apr 16, 2007.

  1. Trapulo

    Trapulo Guest

    Hello,
    I've a page with a gridview and an updatepanel containing a placeholder.
    When a gridview's row is selected, I load (using page.loadControls) a
    different usercontrol in the placeholder based on selected row index.

    Theese are my controls:
    gridview
    updatepanel[placeholder[userControl loaded at runtime]]

    UpdatePanel has a trigger related to gridview's selectedIndexChanged event.

    Some userControl I load contains an objectDataSource and a gridView to
    display data related to user selection.

    If I dont' set ViewStateEncryptionMode="Never", when I select a row, then an
    other row, and then I select again the first, I have an error related to MAC
    validation ("validation of viewstate MAC failed. If the application is
    hosted by a web farm or cluster, etc. etc.").

    Is there any way to solve this error without to disable viewstate
    encryption?

    thanks
     
    Trapulo, Apr 16, 2007
    #1
    1. Advertising

  2. Hi Trapulo,

    I'm having trouble to reproduce the issue on my side. Also, you mentioned
    two GridView, which one you selected will cause the exception?

    For some explanation about the exception, Eilon once described some
    possible cause of it (http://forums.asp.net/thread/1173230.aspx):

    =============

    The error that's happening (as has been mentioned earlier) is caused by an
    ASP.net 2.0 feature called Event Validation. This is a security feature
    that ensures that postback actions only come from events allowed and
    created by the server to help prevent spoofed postbacks. This feature is
    implemented by having controls register valid events when they render (as
    in, during their actual Render() methods). The end result is that at the
    bottom of your rendered <form> tag, you'll see something like this:

    <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION"
    value="AEBnx7v.........tS" />

    When a postback occurs, ASP.net uses the values stored in this hidden field
    to ensure that the button you clicked invokes a valid event. If it's not
    valid, you get the exception that you've been seeing.

    The problem you're seeing happens specifically when you postback before the
    EventValidation field has been rendered. If EventValidation is enabled
    (which it is, by default), but ASP.net doesn't see the hidden field when
    you postback, you also get the exception. If you submit a form before it
    has been entirely rendered, then chances are the EventValidation field has
    not yet been rendered, and thus ASP.net cannot validate your click.

    One work around is of course to just disable event validation, but you have
    to be aware of the security implications. Alternatively, just never post
    back before the form has finished rendering. Of course, that's hard to tell
    your users, but perhaps you could disable the UI until the form has
    rendered?

    Unfortunately there's no "perfect" solution for this just yet.

    =============


    Although we're using AJAX here, there's still a normal postback on the
    server-side.

    Anyway, we can discuss further after you helped me to reproduce the issue
    on my side.


    Sincerely,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications. If you are using Outlook Express, please make sure you clear the
    check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
    promptly.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project analysis and dump analysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Walter Wang [MSFT], Apr 17, 2007
    #2
    1. Advertising

  3. Trapulo

    Trapulo Guest

    Hi Walter,
    I try to explain my page later.
    I've found too the post you reported, but I think it's a different thing.
    Or, better, a similar problem in a diffent way. I think that ASP.NET doesn't
    validate viewstate posting data with AJAX, because some controls are
    dinamically loaded into the page as ajax response.

    However, I solved the problem. I don't know if its because now my
    usercontrol uses a formView instead of other datacontrols, or if because I
    change something else (I was working on the page with
    ViewStateEncryptionMode="Never", so I did'nt made any specific test), but
    now I can remove ViewStateEncryptionMode="Never" and it works.

    However, I post the code of my page so you can understand my problem:


    This is my first updatepanel:
    <asp:UpdatePanel ID="upOptions" runat="server" EnableViewState="False"
    UpdateMode="Conditional">
    <ContentTemplate>

    <asp:GridView ID="gwOptions" DataSourceID="ds1" runat="server"

    EnableViewState="False" ShowHeader="False" SkinID="gwNoDataKeyNames"
    Width="100%"

    AutoGenerateColumns="False">

    <Columns>

    <asp:TemplateField>

    <ItemTemplate>

    <asp:Image ID="imgStepNotCompleted" Visible='<%# not
    Cbool(Eval("Completed")) %>'

    runat="server" ImageUrl="~/images/misc/homeStep.gif" />

    <asp:Image ID="imgStepCompleted" Visible='<%# Cbool(Eval("Completed")) %>'
    runat="server"

    ImageUrl="~/images/misc/homeStep_complete.gif" />

    </ItemTemplate>

    <ItemStyle HorizontalAlign="Left" VerticalAlign="Middle" Width="50px" />

    </asp:TemplateField>

    <asp:TemplateField>

    <ItemTemplate>

    <asp:HyperLink ID="linkService" runat="server" Text='<%#
    Eval("localizedName") %>'

    NavigateUrl='<%# Eval("managementPagePath") %>'></asp:HyperLink>

    </ItemTemplate>

    </asp:TemplateField>

    <asp:TemplateField>

    <ItemTemplate>

    <asp:ImageButton ID="btnSelect" runat="server" Visible='<%#
    cbool(Eval("Completed")) %>'

    CommandName="Select" CommandArgument='<%# eval("ServiceType") %>'
    EnableViewState="False" ImageUrl="~/images/misc/homeStep_preview.gif" />

    </ItemTemplate>

    <ItemStyle HorizontalAlign="Right" VerticalAlign="Middle" Width="50px" />

    </asp:TemplateField>

    </Columns>

    </asp:GridView>

    </ContentTemplate>

    </asp:UpdatePanel>

    And this is the second updatePanel:
    <asp:UpdatePanel ID="upPreview" runat="server" UpdateMode="Conditional">

    <ContentTemplate>

    <asp:panel ID="panelPreview" runat="server" Visible="false">

    <div class="webPartPanelTitle3" style="">

    <asp:Label ID="lblPreviewTitle" runat="server"
    meta:resourcekey="lblPreviewTitle"

    EnableViewState="false">Anteprima</asp:Label>

    </div>

    <div class="webPartPanel3" style="padding-top: 10px; padding-left: 5px;
    padding-bottom: 10px;

    padding-right: 5px;">

    <asp:placeHolder ID="phPreview" runat="server"
    EnableViewState="False"></asp:placeHolder>

    </div>

    </asp:panel>

    </ContentTemplate>

    <Triggers>

    <asp:AsyncPostBackTrigger ControlID="gwOptions"
    EventName="SelectedIndexChanged" />

    </Triggers>

    </asp:UpdatePanel>


    Then, in codebehind, I make this dynamic load:
    Protected Sub gwOptions_RowCommand(ByVal sender As Object, ByVal e As
    System.Web.UI.WebControls.GridViewCommandEventArgs) Handles
    gwOptions.RowCommand

    Select Case e.CommandName

    Case "Select"


    Me.phPreview.Controls.Clear()

    Select Case CType([Enum].Parse(GetType(ServiceTypes), e.CommandArgument),
    ServiceTypes)

    Case mainCard

    Me.phPreview.Controls.Add(Me.LoadControl("~/Controls/Previews/ctlPreviewMainCard.ascx"))

    Case secondaryCards

    Me.phPreview.Controls.Add(Me.LoadControl("~/Controls/Previews/ctlPreviewSecondaryCards.ascx"))

    Case passes

    Me.phPreview.Controls.Add(Me.LoadControl("~/Controls/Previews/ctlPreviewPasses.ascx"))

    [etc....]

    End Select

    End Select


    The ctlPreviewMainCard.ascx control now contains a formView .
    <asp:FormView ID="fvItem" runat="server" EnableViewState="false"
    DataKeyNames="ID" DataSourceID="dataSourceMainCard">

    <ItemTemplate>

    etc..

    If also contains an objectDataSource that retrieve data in a vary simple
    way:
    <asp:ObjectDataSource ID="dataSourceMainCard" runat="server"
    EnableViewState="False"

    OldValuesParameterFormatString="original_{0}" SelectMethod="GetCards"

    TypeName="DataSources.Cards">

    <SelectParameters>

    <asp:parameter DefaultValue="1" Name="type" Type="Object" />

    </SelectParameters>

    </asp:ObjectDataSource>


    That's all

    Thanks


    "Walter Wang [MSFT]" <> wrote in message
    news:...
    > Hi Trapulo,
    >
    > I'm having trouble to reproduce the issue on my side. Also, you mentioned
    > two GridView, which one you selected will cause the exception?
    >
    > For some explanation about the exception, Eilon once described some
    > possible cause of it (http://forums.asp.net/thread/1173230.aspx):
    >
    > =============
    >
    > The error that's happening (as has been mentioned earlier) is caused by an
    > ASP.net 2.0 feature called Event Validation. This is a security feature
    > that ensures that postback actions only come from events allowed and
    > created by the server to help prevent spoofed postbacks. This feature is
    > implemented by having controls register valid events when they render (as
    > in, during their actual Render() methods). The end result is that at the
    > bottom of your rendered <form> tag, you'll see something like this:
    >
    > <input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION"
    > value="AEBnx7v.........tS" />
    >
    > When a postback occurs, ASP.net uses the values stored in this hidden
    > field
    > to ensure that the button you clicked invokes a valid event. If it's not
    > valid, you get the exception that you've been seeing.
    >
    > The problem you're seeing happens specifically when you postback before
    > the
    > EventValidation field has been rendered. If EventValidation is enabled
    > (which it is, by default), but ASP.net doesn't see the hidden field when
    > you postback, you also get the exception. If you submit a form before it
    > has been entirely rendered, then chances are the EventValidation field has
    > not yet been rendered, and thus ASP.net cannot validate your click.
    >
    > One work around is of course to just disable event validation, but you
    > have
    > to be aware of the security implications. Alternatively, just never post
    > back before the form has finished rendering. Of course, that's hard to
    > tell
    > your users, but perhaps you could disable the UI until the form has
    > rendered?
    >
    > Unfortunately there's no "perfect" solution for this just yet.
    >
    > =============
    >
    >
    > Although we're using AJAX here, there's still a normal postback on the
    > server-side.
    >
    > Anyway, we can discuss further after you helped me to reproduce the issue
    > on my side.
    >
    >
    > Sincerely,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > Get notification to my posts through email? Please refer to
    > http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    > ications. If you are using Outlook Express, please make sure you clear the
    > check box "Tools/Options/Read: Get 300 headers at a time" to see your
    > reply
    > promptly.
    >
    > Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    > where an initial response from the community or a Microsoft Support
    > Engineer within 1 business day is acceptable. Please note that each follow
    > up response may take approximately 2 business days as the support
    > professional working with you may need further investigation to reach the
    > most efficient resolution. The offering is not appropriate for situations
    > that require urgent, real-time or phone-based interactions or complex
    > project analysis and dump analysis issues. Issues of this nature are best
    > handled working with a dedicated Microsoft Support Engineer by contacting
    > Microsoft Customer Support Services (CSS) at
    > http://msdn.microsoft.com/subscriptions/support/default.aspx.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
     
    Trapulo, Apr 19, 2007
    #3
  4. Hi Trapulo,

    Thanks for your update.

    I'm still having trouble to reproduce the issue on my side. Anyway, since
    you mentioned that the issue is now "fixed" by using a FormView, let me
    know if you still want to continue finding the root cause.


    Regards,
    Walter Wang (, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    When responding to posts, please "Reply to Group" via your newsreader so
    that others may learn and benefit from your issue.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.
     
    Walter Wang [MSFT], Apr 20, 2007
    #4
  5. Trapulo

    Trapulo Guest

    I think we can stop here, thank you.

    "Walter Wang [MSFT]" <> wrote in message
    news:...
    > Hi Trapulo,
    >
    > Thanks for your update.
    >
    > I'm still having trouble to reproduce the issue on my side. Anyway, since
    > you mentioned that the issue is now "fixed" by using a FormView, let me
    > know if you still want to continue finding the root cause.
    >
    >
    > Regards,
    > Walter Wang (, remove 'online.')
    > Microsoft Online Community Support
    >
    > ==================================================
    > When responding to posts, please "Reply to Group" via your newsreader so
    > that others may learn and benefit from your issue.
    > ==================================================
    >
    > This posting is provided "AS IS" with no warranties, and confers no
    > rights.
    >
     
    Trapulo, Apr 20, 2007
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Greg H
    Replies:
    1
    Views:
    451
    David Waz...
    Jul 3, 2003
  2. Soren Kuula
    Replies:
    1
    Views:
    490
    Henry S. Thompson
    Dec 1, 2005
  3. Kevin
    Replies:
    4
    Views:
    457
    Irrwahn Grausewitz
    Oct 17, 2003
  4. minnie
    Replies:
    1
    Views:
    770
    Andrew Thompson
    Dec 13, 2006
  5. Jeff
    Replies:
    2
    Views:
    358
Loading...

Share This Page