Welcome to the DNN Community Forums, your preferred source of online community support for all things related to DNN.
In order to participate you must be a registered DNNizen

HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Invalid viewstate / Validation of viewstate MAC failedInvalid viewstate / Validation of viewstate MAC failed
Previous
 
Next
New Post
10/6/2014 6:35 PM
 

Hello, 

I'm experiencing an issue with DNN 7.2.2.

Steps to reproduce:

  1. Open the DNN site in a browser without being authenticated (let's call this window "A")
  2. Now locate any link that brings you to a different page within the same site but open it on a new window (right click, Open in a new window, etc). Now you have two browser windows with the same session, let's call the last one  "window B"
  3. In window B authenticate yourself using the standard DNN control.
  4. Now, on window A press any button that makes a postback (HTTP Post). Please note if you make a GET request it will work, it has to be a post.
  5. You should see a 500 Internal server error (error in log refers to Invalid Viewstate, please see full error at the bottom of this post)

This issue was solved in the past disabling "view state mac validation" but latest asp .net changes pushed by Windows Update had forbidden this and make the validation mandatory.

http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.aspx

https://technet.microsoft.com/library/security/2905247

So, the question is how to solve the above issue? I tried to implement tips and advices on how to resolve this without any luck.

  • I'm using IIS 7.5
  • I'm not in a web farm
  • I've tried pretty much everything advised here: http://support2.microsoft.com/kb/2915218
    • Setting LoadUserProfile = true for the AppPool
    • Setting machineKey in web.config file
    • etc

You could ask what kind of valid scenario would involve authenticating in a separate browser window. Well, my scenario is different: I have a component with some buttons, if the user is not authenticated when pressing the button a SignIn popup is displayed with usual login component. After successful authentication the popup is closed and the same button is pressed again through javascript (I call __doPostBack, etc). The problem here is that the popup is a Telerik RadWindow that basically creates a window-like div with an IFrame and the IFrame loads the sign in component. Technically speaking that IFrame is pretty much the same as having a second page.

The above example having 2 opened pages is just the minimal and most straight forward way I've found of describing the problem.

 

Any ideas?

 

Thanks in advance for your help

 

In the logs:

2014-10-06 17:26:13,371 [SITE][Thread:43][ERROR] DotNetNuke.Services.Exceptions.Exceptions - DotNetNuke.Services.Exceptions.PageLoadException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

See http://go.microsoft.com/fwlink/?LinkID=314055 for more information. ---> System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

See http://go.microsoft.com/fwlink/?LinkID=314055 for more information. ---> System.Web.UI.ViewStateException: Invalid viewstate. 

Client IP: 192.168.2.192

Port: 5724

Referer: http://www.site.com/TestPage.aspx

Path: /Default.aspx

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36

ViewState: /wEPDw etc ...

   --- End of inner exception stack trace ---

   at System.Web.UI.ViewStateException.ThrowMacValidati (Exception inner, String persistedState)

   at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString, Purpose purpose)

   at System.Web.UI.Util.DeserializeWithAssert(IStateFormatter2 formatter, String serializedState, Purpose purpose)

   at System.Web.UI.HiddenFieldPageStatePersister.Load()

   at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()

   at System.Web.UI.Page.LoadAllState()

   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

   --- End of inner exception stack trace ---

 

 

 

 
New Post
10/6/2014 6:49 PM
 

If is this a new created instance of DNN I think it is an permission issue on your IIS and/or local Folders.  Is it an upgraded site, so check if the installed modules on the site is compatible with your DNN Upgrade Version.

New install worked w/o to disable the viewstate MAC. 

 

Clear your browser, Clear IIS Cache for some Troubleshooting.

 
New Post
10/6/2014 7:15 PM
 
what you're describing is behaviour by design - when a user is validated a value called viewstateuserkey is set so that asp.net can validate if a page postback comes from the same user who initially loaded a page -this is a necessary security measure to ensure that cross-site request forgery does not occur. Without this, I could post data from one site to another, or log in as one user but alter the post to post data from another user. Whilst you could edit out the relevant code from DNN, I would not recommend trying to work around this as you open yourself up to potential security issues.

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US
 
New Post
10/7/2014 5:47 PM
 
Thanks both of you for your responses.

Cathal, Do you mean DNN enforces an extra security measure in addition to view state mac validation? (something like http://stackoverflow.com/questions/57...). That would explain why my feature works in every other non-DNN environment even with viewstate mac validation enabled but not here.

If that's the case I'll try to implement my control in a different way, perhaps doing a GET before the POST to let the viewstate user key to refresh? Any ideas are welcome.

Thanks again for your help.
 
New Post
10/7/2014 7:47 PM
 

Thanks for your responses.

Cathal, I understand DNN implements an additional security measure besides the viewstate mac validation (like http://stackoverflow.com/questions/5728106/how-to-detect-viewstate-is-tamper-or-not-programatically). This is why my feature is working in every non-DNN environment out there.

If that's the case I'll try to change how my component works, perhaps enforcing a GET before doing a POST over the original button. Any advices would be appreciated.

Thanks for all your help

 
Previous
 
Next
HomeHomeUsing DNN Platf...Using DNN Platf...Administration ...Administration ...Invalid viewstate / Validation of viewstate MAC failedInvalid viewstate / Validation of viewstate MAC failed


These Forums are dedicated to discussion of DNN Platform and Evoq Solutions.

For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:

  1. No Advertising. This includes promotion of commercial and non-commercial products or services which are not directly related to DNN.
  2. No vendor trolling / poaching. If someone posts about a vendor issue, allow the vendor or other customers to respond. Any post that looks like trolling / poaching will be removed.
  3. Discussion or promotion of DNN Platform product releases under a different brand name are strictly prohibited.
  4. No Flaming or Trolling.
  5. No Profanity, Racism, or Prejudice.
  6. Site Moderators have the final word on approving / removing a thread or post or comment.
  7. English language posting only, please.

Content Layout

Subscribe to DNN Digest

DNN Digest is our monthly email newsletter. It highlights news and content from around the DNN ecosystem, such as new modules and themes, messages from leadership, blog posts and notable tweets. Keep your finger on the pulse of the ecosystem by subscribing.  


Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out