Should a page with ViewState disabled still be validating a __viewstate field?

Question

I have a shopping cart page (Cart.aspx) that has a button that will (sometimes) post to a third party payment gateway, if payment is necessary. The payment gateway will process the payment and then do a silent post to my website (Order.aspx) so I can update the order status.

Order.aspx always throws an invalid viewstate error, even though viewstate is disabled on the page.

What's happening is that Cart.aspx (which has viewstate enabled) posts to the payment gateway, and the gateway will post it back as part of the silent post. Even though Order.aspx has viewstate disabled and validation disabled, it still tries to validate the __viewstate field it's being given.

I know setting EnableViewState=false will disable the rendering of the __viewstate field, but if another page provides the field, shouldn't it still skip validation?

I tried calling ViewState.Clear() on the Page_Init event of Order.aspx, but ViewState is apparently empty.

Any suggestions on how to get around this? I don't want to disable ViewState on Cart.aspx (in some cases it may be necessary), but I can't figure out how to clear it on Order.aspx.

Answer 1

Even when you disable the ViewState, ASP.NET still needs it. It uses the hidden __viewstate field for the view state, control state and it uses to validate the request. You can create a custom HttpHandler and let the order post to that page. Of course you need to be cautious about the validity of the request. Make sure you can make sure the request is legitimate and not from a hacker.