views:

283

answers:

2

I'm getting 100+ errors per day on my website with System.Web.HttpException: Invalid viewstate.

The website is asp.net 3.5 running on iis6 , not running in a web-garden/web-farm , single server.

Here are a few sample errors.

Machine: ML Framework Version: 2.0.50727.3603 Assembly Version: 6.5.3664.33889 
Source: http://www.domain.com/WebResource.axd?d=z5VmXXoSLLpQHoPictureAlert 
Exception: System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context) 
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 

Machine: MLFramework Version: 2.0.50727.3603 Assembly Version: 6.5.3664.33889 
Source: http://www.mydomain.com/ScriptResource.axd?d=SE0Ej7OlEAx91j2Cjv_6KkRPplqT-5wB4M7CZPdGdGn3LahLwqlRPApUcdxBsbFXYHZ91Q76FHAHWgHs8SmOC4zemr7
siym0QY0rF3XtJTu%3C/a%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Ca%20id= 
Exception: System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at 
System.Web.UI.Page.DecryptString(String s) at System.Web.Handlers.ScriptResourceHandler.DecryptParameter(NameValueCollection queryString) at 
System.Web.Handlers.ScriptResourceHandler.ProcessRequestInternal(HttpResponse response, NameValueCollection queryString, 
VirtualFileReader fileReader) at System.Web.Handlers.ScriptResourceHandler.ProcessRequest(HttpContext context) at 
System.Web.Handlers.ScriptResourceHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext context) at 
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at 
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 
  1. i already tried wraping all inline javascript with //<![CDATA[ //]]>
  2. i already set enableViewStateMac to false.

From looking at all the errors guessing out of the "d" paramter it seems to focus on a single usercontrol on my website. in this control i change the visiblity of div's + text in the usercontrol OnPreRender function.

protected override void OnPreRender(EventArgs e)
        {
            base.OnPreRender(e);
            PreparePage();
        }

Can the errors be related to the usercontrol behavioral?

thanks!

A: 

If your site is running in a web farm this might be related to having different machine keys. For example if one server is used to encode the viewstate then another server won't be able to decode it if it does not have the same machine key. Checkout this article. Even if you don't have multiple servers try specifying fixed machine keys.

Darin Dimitrov
this for your answer , website not in a webgarden/webfarm.you think there is still a point to use fixed machine key?
dan
also , i already set enableViewStateMac="false" which should cancel the effect of machine keys
dan
i added a fixed machine key just to be sure... not luck error still keeps coming. any other ideas? thanks!
dan
A: 

The invalid ViewState exception is generally from ASP.NET's built in event validation. Turning off EnableViewStateMac simply stops the MAC-based encryption, not the viewstate validation. To do that you need to set EnableEventValidation="false" in the Page directive.

As to why it's happening... three possible reasons:

1) You are modifying the contents of a control on the client side (such as DropDownList items).

2) The page is being posted back before the ViewState validation field is being rendered.

3) Your site is the target of a malicious script searching for vulnerabilities... in which case, EventValidation is doing its job.

I'd say #1 is most likely... bu #2 is also very common, especially when you're seeing this error inconsistently.

Bryan
I dont want to turn viewstate validation OFF , i belive it exists for a purpose.any idea on how to track the pages/controls causing the errors?
dan
As a security feature, I would say it's pretty much the least important thing. MS themselves advice turning it off in these sorts of situations. As for finding the control... is it happening consistently? If not, then it's probably #2 and there's not much you can do about it except decrease the size of your rendered page.
Bryan
Yes it happens consistently, Every day 100+ errros. when the "d" parameter has 3-5 repeating values. How do i find out from which page the error comes?
dan
Event Viewer should show you what URL is causing any unhandled exceptions. Any update here? I've been out a few days.
Bryan