Scott Hanselman

ViewStateUserKey and "Invalid_Viewstate" when posting back during Forms Authentication

February 9, '05 Comments [7] Posted in ASP.NET | ViewState
Sponsored By

From my point of view, I like ASP.NET because it's at least consistent. Anytime some crazy crap happens, at least it makes sense once the dust clears.

We've got a "Workflow" ASP.NET Server Control that i s very snazzy. It's a templated user control that handles all the state transitions one has to deal with when showing and hiding different panels during a Wizard-style operation.

So, you can setup Next and Previous or whatever buttons you like, hook each up to any WorkflowStep and there you go. It's a simpler thing that the UIP. Anyway, as with all ASP.NET 1.1 Postback-like things, it postsback to the current page.

Today someone who was creating an Enrollment and Signon workflow got this Exception during a PostBack:

Exception: System.Web.HttpException
Message: Invalid_Viewstate
Source: System.Web
   at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()
   at System.Web.UI.Page.LoadPageViewState()
   at System.Web.UI.Page.ProcessRequestMain()

When you get this exception the standard list of things to check are:

  • If this is a cluster, edit <machineKey> configuration so all servers use the same validationKey and validation algorithm.  AutoGenerate cannot be used in a cluster. 
  • Viewstate can only be posted back to the same page. 
  • The viewstate for this page might be corrupted.

However, this isn't an error that you'd likely see on a single development ox, so something had to be up. The only interesting and different thing about this situation was that the user, in step 4 of this 7-step process, gets logged into Forms Authentication. When I say "gets logged in" I mean, a cookie is sent to them.

Here's the flow of what happened and why it's a problem:

  1. Un-Forms-Authenticated Client (no cookies) does a GET and receives some standard ViewState.
  2. Client fills out form, POSTs back. ViewState is decoded, life goes on.
  3. During Page processing, user is "logged on" and a Forms Authentication cookie is set out (queued up more like it).
  4. Additionally more ViewState is sent back, not encrypted.
  5. Now Forms-Authenticated Client (cookies) fills out form, POSTs back. ViewState from step 4 is returned to the server.
  6. In Global.AuthenticateRequest(), the cookie from this client is cracked open and a valid SecurityPrincipal is put on the current Thread. Now, User.Identity.IsAuthenticated is true, and User.Identity.Name is set to some string.
  7. In the Page.Init() this line executes, which I've mentioned before. This adds another layer of protection to the User's ViewState.:
    if (User.Identity.IsAuthenticated){ViewStateUserKey = User.Identity.Name;}
  8. Then, after Page.Init() but before Page.Load(), the internal method LoadViewStateFromPersistanceMedium() starts to open up the ViewState that was passed to us. This was the non-protected non-encrypted viewstate from step #4.
  9. Exception occurs, because we now are trying to decrypt ViewState with a key that wasn't present when the ViewState was originally generated.

Moral: Don't change ViewStateUserKey when there is pending ViewState that hasn't been posted back and cracked open yet.

However, you can ONLY change Page.ViewStateUserKey in Page.OnInit, so we do a Response.Redirect after the Forms Authentication Cookie is sent out. This avoids any potential trouble with logging a user in on a postback, and cleans up the workflow considerably.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Zen of Web Services - Join me at the Boise .NET Developers User Group

February 9, '05 Comments [2] Posted in ASP.NET | Web Services | XmlSerializer | Tools
Sponsored By

I'll be in Boise on 2/17 at the Boise .NET Developers User Group giving a "two hour talk on angle brackets" as Simon Fell once describe it so astutely. It's my famous (in my own mind) "Zen and the Art of Web Services" talk, also known as "WS-SoWhat?" (also known as WS-BFD) and "How I stopped worrying and learned to love WSDL."

If you're in, around, near, or adjacent to Boise on 2/17 at 6:30pm, come hang out with me and mention that you saw it on my blog. I'll also show about four dozen free tools and utilities that will make your life easier. Come see my talk and I promise it won't suck, plus Law&Order is a repeat that night anyway.

Will Web Services save the world? More importantly, will they save you time? We'll separate the good from the bad and dig into the WHY of Web Services and the HOW of the .NET Framework. We'll go low level and sniff packets on the wire and we'll go high level and design business documents with XML schema. We'll auto-generate Business Domain Objects and Messages. We'll discuss the meaning of the WS*.* specifications, interoperability and get our heads around the "Zen" of Web Services and see where .NET succeeds and where it falls down. This talk will be as technical as you want it to be, but it will also be valuable for the Business Person or Project Manager who really wants to answer the question "Web Services: So What?" Doesn't sound like the typical Users Group meeting, does it? You'll just have to come by and find out!

Ever wish you could launch Visual Studio.NET and go “File|New Enterprise?”  Well, you can’t just slap [WebMethod] on your existing stuff and go to market.  Web Services and WS*.* have turned out to be the biggest buzzwords since ActiveX – let’s really dig in technically and find out what’s going on.  We’ll look at:

  • The Primordial Ooze that we called CSV files up until XML Schemas today
  • The Internals of XSD.EXE and the XmlSerializer
  • We’ll ILDASM and Reflect(or) our way through System.Web
  • Examples of replacing XSD.EXE with your own generated code
  • Exactly how Visual Studio.NET promotes Microsoft’s view of The Matrix, and how you can be more like Neo, and less like Neo’s cube-mates and co-workers.
  • How to use Web Services in any context, and how to promote Interop with other languages.
  • How to sniff SOAP on the wire and why you should care
  • How XSD Types map to CLR Types and how to deal with the NULL problem
  • How WSE applies to you, and how to CYA as we wait for Indigo.

Now playing: Dave Matthews Band - Stay (Wasting Time)

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Microsoft Fingerprint Reader - a Mini Review

February 9, '05 Comments [17] Posted in Reviews
Sponsored By

Fingerprint2I picked up a Microsoft Fingerprint Reader, which is a Digital Persona straight re-brand.

I'm seriously digging it. The registration process (shown at left) is fantastic. It's smooth, it's accurate and best of all it's simple.

Once you've clicked a few fingers and registered it, you can use any finger you want to indicate that it's you.

If you're on a web page with a name/password dialog when you touch the reader, you're prompted to enter your combo. After that, the software will automatically enter your password when you touch the reader. You can also touch the reader first, then pick what page you'd like to visit.

Either way, I've stopped entering passwords since I got this little gem. I've plugged it into the USB Hub on my DELL LCD Monitor, so it's always at hand (no pun intended) and it doesn't take up a USB Root Port on the main system.

Good Things:

  • It integrates with the Windows XP Ctrl-Alt-Del Login or Welcome Screen without changing it.
  • Non-intrusive and stays our of your way. No modal dialogs.
  • It's shiny

Bad Things:

  • You could cut off my finger, go to my house and log into my machine. Ah, but which finger!? I gotcha, evil doers. Unless, you take the whole hand. Er. Ick.
  • I can't figure out from the super-simple interface where to EDIT or DELETE an existing password. It must be there, and it's mentioned in the help, but I swear, I can't find it.
  • Rare: If you already have a Ctrl-Alt-Del replacement, perhaps for VPN software like Cisco, you can't use the reader for your primary login.
  • Can be spoofed if you use a gummy bear with ridges cut to register your fingers initially.

It's definitely worth the money and I use it every day.

Now playing: Eve - Gotta Man

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

A JavaScript implementation of innerText (not innerHtml) for FireFox and non-IE browsers.

February 8, '05 Comments [10] Posted in ASP.NET | Javascript
Sponsored By

In the sick, twisted word of cross-browser DOM-based JavaScript, sometimes you need to get the contents of an element. You usually use element.innerHTML, but often you don't want any existing sub-tags that might be in there. You want .innerText! But, innerText is only available on IE. Poop.

So, I needed this today, and my buddy Stuart found a solution here. Sick, yes. Twisted, yes. Works, yes. Moving on.

    <script type="text/javascript">
      var regExp = /<\/?[^>]+>/gi;
      function ReplaceTags(xStr){
        xStr = xStr.replace(regExp,"");
        return xStr;
      }
    </script>

All you need to do is pass it a string and it returns the string stripped of the tags. An example is shown below to grab the text from a div without the tags.

<html>
  <head>
    <script type="text/javascript">
      var regExp = /<\/?[^>]+>/gi;
      function ReplaceTags(xStr){
        xStr = xStr.replace(regExp,"");
        return xStr;
      }
    </script>
  </head>
  <body>
    <div id="test">
      <span id="span1">Test <u><b>Test</b></u> Test <br/><a href="#">Wow</a>!</span>
    </div>
    <script type="text/javascript">
      var xContent = document.getElementById("test").innerHTML;
      var fixedContent = ReplaceTags(xContent);
      alert(fixedContent);
    </script>
  </body>
</html>
[Eric's Weblog]

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Adding Tabs to Internet Explorer (IE) and the Rise, no, uh, er, fall of the Integrated Application

February 5, '05 Comments [6] Posted in Speaking | Tools
Sponsored By

I was asked today how to add Tabs and Tabbed Browsing to IE. Since "Use FireFox" wasn't appreciated as an answer, I pointed them to:

  • MyIE2/Maxthon - Renamed Maxthon recently, this has a load of toolbars, Skins, Gestures and
  • AvantBrowser - Feels from MDI and is free. Includes Skins, cleans up your tracks and filters Flash.

Which got me thinking. Is there room for IE-based browsers? Or are they just potential spyware-carriers? Do we need another browser? So many people were lamenting the lack of an IE7 on the Horizon and have been moving away from the "one browser/webapp for them all" view as RSS Readers are being favored by many over the integrated experience. Are there too many apps out there? We seem to oscillate between lots of 'applets' and lots of do-it-all apps.

Visual Studio seems to be taking lots of the best Add-In (applet) ideas and merging them into the mainline making Visual Studio the "Outlook" of development. I'm the guy with lists of utils, but in an average day, I may only touch:

  • iTunes
  • VS.NET (with a crapload of addins)
  • Virtual PC
  • Dragon NaturallySpeaking
  • Word
  • Outlook (with NewsGator)
  • BlogJet
  • VS.NET Command Prompt
  • Messenger

This is a pretty small list. Does this show some kind of pattern? Are apps becoming more laser focused? or more shotgun approach? Is there room for a dozen different RSS Readers? or just a few?

I also wonder if we're "red vs. blue-ing" the desktop application space:

  • Thunderbird vs. Outlook/Entourage
  • Newsgator vs. FeedDemon
  • Word vs. OpenOffice
  • Messenger vs. Trillian
  • VS.NET vs. Eclipse
  • Virtual PC vs. VMWare

I know it's not that really that polarized, but sometimes it feels as such. I guess that's just the magic of evolution/opensource/freemarket ecomony.

Hm.

Now playing: Mos Def - Next Universe..

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.