tags:

views:

464

answers:

3
+1  Q: 

Asp.net Invalid viewstate - Maybe IE8 4k dropped bug??

I'm getting 100+ errors per day on my website with System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV

The website is asp.net 3.5 running on iis6 , not running in a web-garden/web-farm , single server.

The website is using xhtml doctype.

viewstate size vary from 2kb-20kb

Here are a few sample errors.

Machine: ML Framework Version: 2.0.50727.3603 Assembly Version: 6.5.3664.33889     
Source: http://www.domain.com/WebResource.axd?d=z5VmXXoSLLpQHoPictureAlert     
Exception: System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)     
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()     
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)     

Machine: MLFramework Version: 2.0.50727.3603 Assembly Version: 6.5.3664.33889     
Source: http://www.mydomain.com/ScriptResource.axd?d=SE0Ej7OlEAx91j2Cjv_6KkRPplqT-5wB4M7CZPdGdGn3LahLwqlRPApUcdxBsbFXYHZ91Q76FHAHWgHs8SmOC4zemr7    
siym0QY0rF3XtJTu%3C/a%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Ca%20id=     
Exception: System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at     
System.Web.UI.Page.DecryptString(String s) at System.Web.Handlers.ScriptResourceHandler.DecryptParameter(NameValueCollection queryString) at     
System.Web.Handlers.ScriptResourceHandler.ProcessRequestInternal(HttpResponse response, NameValueCollection queryString,     
VirtualFileReader fileReader) at System.Web.Handlers.ScriptResourceHandler.ProcessRequest(HttpContext context) at     
System.Web.Handlers.ScriptResourceHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext context) at     
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at     
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Solutions i already tried:

  1. Wraping all inline javascript with //
  2. Setting enableViewStateMac to false
  3. Setting maxPageStateFieldLength to 5000 bytes.
  4. Define a MachineKey in web.config using http://www.developmentnow.com/articles/machinekey_generator.aspx

i cant figure out what causes the error or which page generates them. help please! thank you!

A: 

Is it possible that users are leaving the app open for long lengths of time before coming back to it? Are you pulling any information from the viewstate?

Session might be a better way to keep values across postbacks.

C Bauer  2010-01-25 15:24:48
yes that is possible , i know for a fact some users open the website and leave the browser open for long period. but how will this causes these errors?
sharru  2010-01-25 15:31:45
help please....
sharru  2010-01-26 13:04:28
When you generated the error (you mentioned it in a comment below), did it just happen at random or did you have to leave the site open for a long time? Is there absolutely no way to reproduce the error except by random chance?
C Bauer  2010-01-26 14:01:21
no when i generate the error its not when the site is open for a long time.i just click on a few links/buttons on the page. sometimes i get an error (i dont see the error its just logged into log4net file) and sometimes nothing. (even doing the same steps over and over doesn't reproduce the error.)
sharru  2010-01-26 18:03:36
Are you messing with the viewstate anywhere in the program?
C Bauer  2010-01-29 15:44:13
yes , but nothing serious , i have a few place im storing a int/string variable in viewstate.
sharru  2010-01-31 13:57:19
any smart way to trace the source of the errors? the log shows no useable information.
sharru  2010-01-31 13:57:57
Please post the log. Are you checking to see if the ID exists? An easy way is to do string id = (string)ViewState["id"];if(id != null){//Do stuff}else{//Put in code to send you an email}If you get the email then you know either you have a mismatched ID string or the viewstate has been invalidated due to inactivity
C Bauer  2010-02-01 14:36:29
i'm not sure i understand what you mean , in my post above i posted some sample errors from the log. i can post more if it helps but the error keeps repeating itself with different garbage at the end of the "d" param like http://www.domain.com/ScriptResource.axd?d=JpGbpqus%20=%20$get('ctl00_cphContent_UserMenu1_LoginBox1_lblStatus');%20%20%20%20%20%20%20%20if%20(email.length%20==%200%20%7C%7C%20email.value%20==
sharru  2010-02-01 16:09:22
its a long shot , Any chance this is related ?scriptResourceHandler enableCompression="true" enableCaching="true"
sharru  2010-02-01 16:33:06
A: 

In my experience, these errors have been generated by a security company, or in lesser cases, by a hacker trying to post invalid data to the page. This is especially true if you cannot seem to find the source of the error yourself by clicking through the normal usage of the page.

We handle the error on the base page (which we use to inherit all our pages from) in the page_error routine. We then check the error message for this, and for others such as: a potentially dangerous querystring value, invalid postback or callback argument, etc. If one of those errors exist, we store it in an audit and have a process which handles those separately.

Also, is the site on a sesssion/web farm? It is important that the machine keys are the same on both servers. Jeff Atwood wrote an article about this as well: http://www.codinghorror.com/blog/archives/000132.html

Kyle B.  2010-01-25 15:25:38
i can generate the error when im browsing the website but i cant seem to link it to a page or a component it just happens randomly.On the other side i just CANNOT generate the error on my DEV machine
sharru  2010-01-25 15:33:52
A: 
  1. Adjust the settings on the application pools so that recycling is less likely to occur at peak periods.
  2. Use a specific key in the machine.config to prevent automatic key generation on each process start
  3. Only post to the same ASPX page
  4. Turn off firewall and antivirus software

found those here: http://support.microsoft.com/kb/555353

hunter  2010-01-25 15:25:54
my pool recycling is the default one : every 1960 minutes.
sharru  2010-01-25 15:29:50

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?