First time here? Check out the site's "greatest hits" or read a post from the archives. Feel free to leave a comment or ask a question, and consider subscribing to the latest posts via RSS or e-mail. Thanks for visiting!
« Zen of Web Services - Join me at the Boi... | Main | ASP.NET HotFix 887219/MS05-004 may break... »

ViewStateUserKey and "Invalid_Viewstate" when posting back during Forms Authentication

Posted in ASP.NET | ViewState.

From my point of view, I like ASP.NET because it's at least consistent. Anytime some crazy crap happens, at least it makes sense once the dust clears.

We've got a "Workflow" ASP.NET Server Control that i s very snazzy. It's a templated user control that handles all the state transitions one has to deal with when showing and hiding different panels during a Wizard-style operation.

So, you can setup Next and Previous or whatever buttons you like, hook each up to any WorkflowStep and there you go. It's a simpler thing that the UIP. Anyway, as with all ASP.NET 1.1 Postback-like things, it postsback to the current page.

Today someone who was creating an Enrollment and Signon workflow got this Exception during a PostBack:

Exception: System.Web.HttpException
Message: Invalid_Viewstate
Source: System.Web
   at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()
   at System.Web.UI.Page.LoadPageViewState()
   at System.Web.UI.Page.ProcessRequestMain()

When you get this exception the standard list of things to check are:

  • If this is a cluster, edit <machineKey> configuration so all servers use the same validationKey and validation algorithm.  AutoGenerate cannot be used in a cluster. 
  • Viewstate can only be posted back to the same page. 
  • The viewstate for this page might be corrupted.

However, this isn't an error that you'd likely see on a single development ox, so something had to be up. The only interesting and different thing about this situation was that the user, in step 4 of this 7-step process, gets logged into Forms Authentication. When I say "gets logged in" I mean, a cookie is sent to them.

Here's the flow of what happened and why it's a problem:

  1. Un-Forms-Authenticated Client (no cookies) does a GET and receives some standard ViewState.
  2. Client fills out form, POSTs back. ViewState is decoded, life goes on.
  3. During Page processing, user is "logged on" and a Forms Authentication cookie is set out (queued up more like it).
  4. Additionally more ViewState is sent back, not encrypted.
  5. Now Forms-Authenticated Client (cookies) fills out form, POSTs back. ViewState from step 4 is returned to the server.
  6. In Global.AuthenticateRequest(), the cookie from this client is cracked open and a valid SecurityPrincipal is put on the current Thread. Now, User.Identity.IsAuthenticated is true, and User.Identity.Name is set to some string.
  7. In the Page.Init() this line executes, which I've mentioned before. This adds another layer of protection to the User's ViewState.:
    if (User.Identity.IsAuthenticated){ViewStateUserKey = User.Identity.Name;}
  8. Then, after Page.Init() but before Page.Load(), the internal method LoadViewStateFromPersistanceMedium() starts to open up the ViewState that was passed to us. This was the non-protected non-encrypted viewstate from step #4.
  9. Exception occurs, because we now are trying to decrypt ViewState with a key that wasn't present when the ViewState was originally generated.

Moral: Don't change ViewStateUserKey when there is pending ViewState that hasn't been posted back and cracked open yet.

However, you can ONLY change Page.ViewStateUserKey in Page.OnInit, so we do a Response.Redirect after the Forms Authentication Cookie is sent out. This avoids any potential trouble with logging a user in on a postback, and cleans up the workflow considerably.



Wednesday, February 09, 2005 10:54:22 PM (Pacific Standard Time, UTC-08:00)
Hey Scott,

Nice post. I think using the Session ID for the ViewStateUserKey would solve your problem. It may cause you others though - would you ever want the viewstate to persist between sessions?
Tim Haines
Wednesday, February 09, 2005 11:04:57 PM (Pacific Standard Time, UTC-08:00)
Good question. ViewState has no explicit lifetime, while sessions do...the guy could wait, expire the session, the postback...that'd cause this error also, no?
Scott Hanselman
Wednesday, February 09, 2005 11:15:36 PM (Pacific Standard Time, UTC-08:00)
I guess it would if not handled. Perhaps there's a nice way to handle it in the session start to avoid the error. I'm guessing as I haven't checked this out, but the postback would send back the expired sessionid in a cookie or something right? Even if a new session is starting, there might be a way to grab that old session id and use it to decode the viewstate.
Tim Haines
Thursday, February 10, 2005 6:08:20 AM (Pacific Standard Time, UTC-08:00)
Ah, but remember the order of things. Init(), LoadViewState(), Load(). Other than Page.OnError, there's nowhere to "handle" the ViewState not loading, and if it doesn't load, you're screwed. You (the developer) can't catch a failed load of viewstate and continue loading the page.
Scott Hanselman
Thursday, February 10, 2005 3:16:53 PM (Pacific Standard Time, UTC-08:00)
A session start happens before the Init doesn't it? After posting the previous comment I started wondering if a browser would pass back an expired session cookie anyway - it's not something I'd want to rely on. So maybe it would be impossible to reliably retrieve the expired session ID. I'm sure you could take the approach of putting the key in another cookie variable or something, but it's starting to sound pretty ugly. I suspect the way you describe it in your post above might be the best way to manage ViewStateUserKey.

BTW, I did a little research last night, and stumbled across a sample chapter from a security book. It suggested using Session ID or Username for the key if the user is logged in, and using a random number (presumably stored somewhere) if the user isn't authenticated. It strongly recomended avoiding unencrypted viewstates.
Tim Haines
Thursday, February 10, 2005 3:19:47 PM (Pacific Standard Time, UTC-08:00)
Your comment spam control just bounced me a couple of times. I'm pretty sure I read it correctly the second time. Would it bounce me if I wrote in caps (like it's suggesting) rather than small letters? It worked the third time when I used small letters, even though it was showing caps.
Tim Haines
Monday, February 14, 2005 10:19:49 AM (Pacific Standard Time, UTC-08:00)
Scott,

That shed some light on a problem I'm having: I've got a form that people sometimes sit on for an hour before submitting. They have to be logged in (FormsAuthentication) to access the page -- but their authentication expires before they submit the form. Now the viewstate info is invalid, because the key has changed. Can you think of a good way to avoid this?

Thanks!

PS: I also found that the comment-spam test requires lowercase entry, even though the picture shows all caps.
Jesse
Comments are closed.

Contact

  • Scott Hanselman

Sponsors

Hosting By

Dedicated Windows Server Hosting by ORCS Web

On this page...

Tags

Africa (91) ASP.NET (602) ASP.NET Dynamic Data (15) ASP.NET MVC (51) BabySmash (17) Back to Basics (10) Bugs (168) CodeRush (21) Coding4Fun (38) Corillian (26) DasBlog (130) Deployment (1) DevCenter (1) DevDays (5) Diabetes (61) DLR (1) eFinance (14) Gaming (113) HttpHandler (16) HttpModule (21) Identity (3) IIS (12) INETA (8) Internationalization (43) IOC (1) Javascript (67) Learning .NET (98) LINQ (16) Longhorn (11) Microsoft (68) Mix (9) Movies (44) MSBuild (1) Musings (483) Nant (39) NCover (12) NDC (11) NDoc (6) NotNorthwind (2) NUnit (46) Open Source (6) PDC (65) PHP (2) Podcast (155) PowerShell (59) Programming (233) Python (1) Reviews (126) Ruby (61) Screencasts (20) Silverlight (29) Source Code (48) Speaking (185) Subversion (14) TechEd (122) Thabo (3) Tools (398) VB (6) ViewState (19) Vista (2) Watir (21) Web Services (429) Windows Client (32) WPF (23) XML (289) XmlSerializer (31) Zenzo (38)

Calendar

<January 2009>
SunMonTueWedThuFriSat
28293031123
45678910
11121314151617
18192021222324
25262728293031
1234567
Posts in timeline
Posts in Large Calendar

Archives

January, 2009 (6)
December, 2008 (32)
November, 2008 (17)
October, 2008 (22)
September, 2008 (16)
August, 2008 (14)
July, 2008 (25)
June, 2008 (19)
May, 2008 (17)
April, 2008 (17)
March, 2008 (26)
February, 2008 (21)
January, 2008 (28)
December, 2007 (19)
November, 2007 (17)
October, 2007 (31)
September, 2007 (39)
August, 2007 (37)
July, 2007 (43)
June, 2007 (37)
May, 2007 (32)
April, 2007 (38)
March, 2007 (29)
February, 2007 (46)
January, 2007 (31)
December, 2006 (27)
November, 2006 (31)
October, 2006 (32)
September, 2006 (39)
August, 2006 (34)
July, 2006 (40)
June, 2006 (18)
May, 2006 (31)
April, 2006 (34)
March, 2006 (30)
February, 2006 (38)
January, 2006 (44)
December, 2005 (19)
November, 2005 (34)
October, 2005 (24)
September, 2005 (37)
August, 2005 (20)
July, 2005 (24)
June, 2005 (33)
May, 2005 (16)
April, 2005 (22)
March, 2005 (34)
February, 2005 (15)
January, 2005 (37)
December, 2004 (28)
November, 2004 (30)
October, 2004 (34)
September, 2004 (22)
August, 2004 (34)
July, 2004 (18)
June, 2004 (64)
May, 2004 (49)
April, 2004 (21)
March, 2004 (29)
February, 2004 (29)
January, 2004 (36)
December, 2003 (25)
November, 2003 (24)
October, 2003 (59)
September, 2003 (42)
August, 2003 (24)
July, 2003 (44)
June, 2003 (29)
May, 2003 (21)
April, 2003 (30)
March, 2003 (27)
February, 2003 (47)
January, 2003 (50)
December, 2002 (31)
November, 2002 (38)
October, 2002 (44)
September, 2002 (15)
May, 2002 (2)
April, 2002 (4)

Google Ads