Validation of viewstate MAC failed.

Discussion in 'ASP .Net' started by Gibble, May 10, 2007.

  1. Gibble

    Gibble Guest

    We have been receiving 100s of this error:

    ----------
    Validation of viewstate MAC failed. If this application is hosted by a
    Web Farm or cluster, ensure that <machineKey> configuration specifies
    the same validationKey and validation algorithm. AutoGenerate cannot
    be used in a cluster.
    ----------

    Since we aren't using a Web Farm or Cluster that's not the issue. The
    machine key is correct. I believe this is related to large/slow
    loading pages not being done rendering when the post back happens.
    Therefor the __EVENTVIEWSTATE form value is not yet set and
    subsequently not sent with the form.

    What are the security implications of setting
    enableEventValidation="false" in my web.config?

    Thankyou.
    -G
    Gibble, May 10, 2007
    #1
    1. Advertising

  2. Gibble

    bruce barker Guest

    enableEventValidation checks that postbacks are from enabled controls,
    and that the posted select values are in the rendered list. it has no
    effect on the error message you are receiving.

    most likely the application is recycling between render and postback.
    this causes a new key to be generated and your error. you can fix the
    key in the web config and avoid this.

    -- bruce (sqlwork.com)

    Gibble wrote:
    > We have been receiving 100s of this error:
    >
    > ----------
    > Validation of viewstate MAC failed. If this application is hosted by a
    > Web Farm or cluster, ensure that <machineKey> configuration specifies
    > the same validationKey and validation algorithm. AutoGenerate cannot
    > be used in a cluster.
    > ----------
    >
    > Since we aren't using a Web Farm or Cluster that's not the issue. The
    > machine key is correct. I believe this is related to large/slow
    > loading pages not being done rendering when the post back happens.
    > Therefor the __EVENTVIEWSTATE form value is not yet set and
    > subsequently not sent with the form.
    >
    > What are the security implications of setting
    > enableEventValidation="false" in my web.config?
    >
    > Thankyou.
    > -G
    >
    bruce barker, May 10, 2007
    #2
    1. Advertising

  3. enableEventValidation is probably not what you need to look at. What that
    controls is whether the Form elements in a postback are the same that were
    on the original page, and has more to do with adding controls or dropdownlist
    elements programmatically (for example).

    ValidateRequest is more like what you want to be looking at. Also, see if
    you really need ViewState enabled on all your controls or the page, to cut
    down on its size.
    Peter

    --
    Site: http://www.eggheadcafe.com
    UnBlog: http://petesbloggerama.blogspot.com
    Short urls & more: http://ittyurl.net




    "Gibble" wrote:

    > We have been receiving 100s of this error:
    >
    > ----------
    > Validation of viewstate MAC failed. If this application is hosted by a
    > Web Farm or cluster, ensure that <machineKey> configuration specifies
    > the same validationKey and validation algorithm. AutoGenerate cannot
    > be used in a cluster.
    > ----------
    >
    > Since we aren't using a Web Farm or Cluster that's not the issue. The
    > machine key is correct. I believe this is related to large/slow
    > loading pages not being done rendering when the post back happens.
    > Therefor the __EVENTVIEWSTATE form value is not yet set and
    > subsequently not sent with the form.
    >
    > What are the security implications of setting
    > enableEventValidation="false" in my web.config?
    >
    > Thankyou.
    > -G
    >
    >
    =?Utf-8?B?UGV0ZXIgQnJvbWJlcmcgW0MjIE1WUF0=?=, May 10, 2007
    #3
  4. Gibble

    Gibble Guest

    We already use a fixed key in our web.config.

    On May 10, 12:03 pm, bruce barker <> wrote:
    > enableEventValidation checks that postbacks are from enabled controls,
    > and that the posted select values are in the rendered list. it has no
    > effect on the error message you are receiving.
    >
    > most likely the application is recycling between render and postback.
    > this causes a new key to be generated and your error. you can fix the
    > key in the web config and avoid this.
    >
    > -- bruce (sqlwork.com)
    >
    > Gibble wrote:
    > > We have been receiving 100s of this error:

    >
    > > ----------
    > > Validation of viewstate MAC failed. If this application is hosted by a
    > > Web Farm or cluster, ensure that <machineKey> configuration specifies
    > > the same validationKey and validation algorithm. AutoGenerate cannot
    > > be used in a cluster.
    > > ----------

    >
    > > Since we aren't using a Web Farm or Cluster that's not the issue. The
    > > machine key is correct. I believe this is related to large/slow
    > > loading pages not being done rendering when the post back happens.
    > > Therefor the __EVENTVIEWSTATE form value is not yet set and
    > > subsequently not sent with the form.

    >
    > > What are the security implications of setting
    > > enableEventValidation="false" in my web.config?

    >
    > > Thankyou.
    > > -G
    Gibble, May 10, 2007
    #4
  5. Gibble

    Gibble Guest

    The current web.config contains.
    <pages validateRequest="false" enableEventValidation="true"/>


    On May 10, 12:13 pm, Peter Bromberg [C# MVP]
    <> wrote:
    > enableEventValidation is probably not what you need to look at. What that
    > controls is whether the Form elements in a postback are the same that were
    > on the original page, and has more to do with adding controls or dropdownlist
    > elements programmatically (for example).
    >
    > ValidateRequest is more like what you want to be looking at. Also, see if
    > you really need ViewState enabled on all your controls or the page, to cut
    > down on its size.
    > Peter
    >
    > --
    > Site: http://www.eggheadcafe.com
    > UnBlog: http://petesbloggerama.blogspot.com
    > Short urls & more: http://ittyurl.net
    >
    > "Gibble" wrote:
    > > We have been receiving 100s of this error:

    >
    > > ----------
    > > Validation of viewstate MAC failed. If this application is hosted by a
    > > Web Farm or cluster, ensure that <machineKey> configuration specifies
    > > the same validationKey and validation algorithm. AutoGenerate cannot
    > > be used in a cluster.
    > > ----------

    >
    > > Since we aren't using a Web Farm or Cluster that's not the issue. The
    > > machine key is correct. I believe this is related to large/slow
    > > loading pages not being done rendering when the post back happens.
    > > Therefor the __EVENTVIEWSTATE form value is not yet set and
    > > subsequently not sent with the form.

    >
    > > What are the security implications of setting
    > > enableEventValidation="false" in my web.config?

    >
    > > Thankyou.
    > > -G
    Gibble, May 10, 2007
    #5
  6. Gibble

    bruce barker Guest

    you should probably reduce your viewstate size (< 1k), if you can not,
    then you probably need to set viewStateEncryptionMode to never and turn
    off enableEventValidation.

    the security you face is your site is easier to hack. because the
    viewstate is not encrypted, hackers can change values in the viewstate,
    send values not included in a dropdown list and press buttons you may
    have disabled. as long as you site does not trust any postback values,
    and validates button clicks then you are fine.

    crosssite scripting and sql injection are the most common risks if you
    do not do the above validation.

    -- bruce (sqlwork.com)


    Gibble wrote:
    > We already use a fixed key in our web.config.
    >
    > On May 10, 12:03 pm, bruce barker <
    >> enableEventValidation checks that postbacks are from enabled controls,
    >> and that the posted select values are in the rendered list. it has no
    >> effect on the error message you are receiving.
    >>
    >> most likely the application is recycling between render and postback.
    >> this causes a new key to be generated and your error. you can fix the
    >> key in the web config and avoid this.
    >>
    >> -- bruce (sqlwork.com)
    >>
    >> Gibble wrote:
    >>> We have been receiving 100s of this error:
    >>> ----------
    >>> Validation of viewstate MAC failed. If this application is hosted by a
    >>> Web Farm or cluster, ensure that <machineKey> configuration specifies
    >>> the same validationKey and validation algorithm. AutoGenerate cannot
    >>> be used in a cluster.
    >>> ----------
    >>> Since we aren't using a Web Farm or Cluster that's not the issue. The
    >>> machine key is correct. I believe this is related to large/slow
    >>> loading pages not being done rendering when the post back happens.
    >>> Therefor the __EVENTVIEWSTATE form value is not yet set and
    >>> subsequently not sent with the form.
    >>> What are the security implications of setting
    >>> enableEventValidation="false" in my web.config?
    >>> Thankyou.
    >>> -G

    >
    >
    bruce barker, May 10, 2007
    #6
  7. Gibble

    Gibble Guest

    Well, we shouldn't be using viewstate anywhere anyhow, it's disabled
    wherever possible.

    Thanks.

    On May 10, 2:54 pm, bruce barker <> wrote:
    > you should probably reduce your viewstate size (< 1k), if you can not,
    > then you probably need to set viewStateEncryptionMode to never and turn
    > off enableEventValidation.
    >
    > the security you face is your site is easier to hack. because the
    > viewstate is not encrypted, hackers can change values in the viewstate,
    > send values not included in a dropdown list and press buttons you may
    > have disabled. as long as you site does not trust any postback values,
    > and validates button clicks then you are fine.
    >
    > crosssite scripting and sql injection are the most common risks if you
    > do not do the above validation.
    >
    > -- bruce (sqlwork.com)
    >
    > Gibble wrote:
    > > We already use a fixed key in our web.config.

    >
    > > On May 10, 12:03 pm, bruce barker <
    > >> enableEventValidation checks that postbacks are from enabled controls,
    > >> and that the posted select values are in the rendered list. it has no
    > >> effect on the error message you are receiving.

    >
    > >> most likely the application is recycling between render and postback.
    > >> this causes a new key to be generated and your error. you can fix the
    > >> key in the web config and avoid this.

    >
    > >> -- bruce (sqlwork.com)

    >
    > >> Gibble wrote:
    > >>> We have been receiving 100s of this error:
    > >>> ----------
    > >>> Validation of viewstate MAC failed. If this application is hosted by a
    > >>> Web Farm or cluster, ensure that <machineKey> configuration specifies
    > >>> the same validationKey and validation algorithm. AutoGenerate cannot
    > >>> be used in a cluster.
    > >>> ----------
    > >>> Since we aren't using a Web Farm or Cluster that's not the issue. The
    > >>> machine key is correct. I believe this is related to large/slow
    > >>> loading pages not being done rendering when the post back happens.
    > >>> Therefor the __EVENTVIEWSTATE form value is not yet set and
    > >>> subsequently not sent with the form.
    > >>> What are the security implications of setting
    > >>> enableEventValidation="false" in my web.config?
    > >>> Thankyou.
    > >>> -G
    Gibble, May 10, 2007
    #7
  8. Gibble

    RS Emenu Guest

    Viewstate validation failed

    The reason for this error is validation of Viewstate failing because of different value of key for encryption/decryption across different server on farm. Below link provide good explanation of this error and possible resolution for the same.

    http://a2zmenu.com/AspNet/Validation-of-viewstate-MAC-failed.aspx

    > On Thursday, May 10, 2007 12:54 PM Gibble wrote:


    > We have been receiving 100s of this error:
    >
    > ----------
    > Validation of viewstate MAC failed. If this application is hosted by a
    > Web Farm or cluster, ensure that <machineKey> configuration specifies
    > the same validationKey and validation algorithm. AutoGenerate cannot
    > be used in a cluster.
    > ----------
    >
    > Since we aren't using a Web Farm or Cluster that's not the issue. The
    > machine key is correct. I believe this is related to large/slow
    > loading pages not being done rendering when the post back happens.
    > Therefor the __EVENTVIEWSTATE form value is not yet set and
    > subsequently not sent with the form.
    >
    > What are the security implications of setting
    > enableEventValidation="false" in my web.config?
    >
    > Thankyou.
    > -G



    >> On Thursday, May 10, 2007 1:03 PM bruce barker wrote:


    >> enableEventValidation checks that postbacks are from enabled controls,
    >> and that the posted select values are in the rendered list. it has no
    >> effect on the error message you are receiving.
    >>
    >> most likely the application is recycling between render and postback.
    >> this causes a new key to be generated and your error. you can fix the
    >> key in the web config and avoid this.
    >>
    >> -- bruce (sqlwork.com)
    >>
    >> Gibble wrote:



    >>> On Thursday, May 10, 2007 1:13 PM pbromber wrote:


    >>> enableEventValidation is probably not what you need to look at. What that
    >>> controls is whether the Form elements in a postback are the same that were
    >>> on the original page, and has more to do with adding controls or dropdownlist
    >>> elements programmatically (for example).
    >>>
    >>> ValidateRequest is more like what you want to be looking at. Also, see if
    >>> you really need ViewState enabled on all your controls or the page, to cut
    >>> down on its size.
    >>> Peter
    >>>
    >>> --
    >>> Site: http://www.eggheadcafe.com
    >>> UnBlog: http://petesbloggerama.blogspot.com
    >>> Short urls & more: http://ittyurl.net
    >>>
    >>>
    >>>
    >>>
    >>> "Gibble" wrote:



    >>>> On Thursday, May 10, 2007 1:16 PM Gibble wrote:


    >>>> We already use a fixed key in our web.config.



    >>>>> On Thursday, May 10, 2007 1:21 PM Gibble wrote:


    >>>>> The current web.config contains.
    >>>>> <pages validateRequest="false" enableEventValidation="true"/>



    >>>>>> On Thursday, May 10, 2007 3:54 PM bruce barker wrote:


    >>>>>> you should probably reduce your viewstate size (< 1k), if you can not,
    >>>>>> then you probably need to set viewStateEncryptionMode to never and turn
    >>>>>> off enableEventValidation.
    >>>>>>
    >>>>>> the security you face is your site is easier to hack. because the
    >>>>>> viewstate is not encrypted, hackers can change values in the viewstate,
    >>>>>> send values not included in a dropdown list and press buttons you may
    >>>>>> have disabled. as long as you site does not trust any postback values,
    >>>>>> and validates button clicks then you are fine.
    >>>>>>
    >>>>>> crosssite scripting and sql injection are the most common risks if you
    >>>>>> do not do the above validation.
    >>>>>>
    >>>>>> -- bruce (sqlwork.com)
    >>>>>>
    >>>>>>
    >>>>>> Gibble wrote:



    >>>>>>> On Thursday, May 10, 2007 4:07 PM Gibble wrote:


    >>>>>>> Well, we should not be using viewstate anywhere anyhow, it is disabled
    >>>>>>> wherever possible.
    >>>>>>>
    >>>>>>> Thanks.



    >>>>>>> Submitted via EggHeadCafe - Software Developer Portal of Choice
    >>>>>>> Composite UI Pattern and RAD Development for Data Entry Applications, Part 1
    >>>>>>> http://www.eggheadcafe.com/tutorial...pment-for-data-entry-applications-part-1.aspx
    RS Emenu, Sep 22, 2010
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Ray Stevens

    Validation of viewstate MAC failed

    Ray Stevens, Aug 4, 2005, in forum: ASP .Net
    Replies:
    4
    Views:
    804
    Brock Allen
    Aug 9, 2005
  2. Not Me

    Validation of viewstate MAC failed

    Not Me, Dec 8, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    470
    Not Me
    Dec 8, 2005
  3. Sergej Grickov

    Error: Validation of viewstate MAC failed

    Sergej Grickov, Jan 27, 2006, in forum: ASP .Net
    Replies:
    3
    Views:
    11,656
    Teemu Keiski
    Feb 4, 2006
  4. aaaaaa
    Replies:
    1
    Views:
    424
    Alvin Bruney - ASP.NET MVP
    Mar 23, 2006
  5. sck10
    Replies:
    6
    Views:
    900
    sck10
    Sep 1, 2006
Loading...

Share This Page