Home Dashboard Directory Help
Search

Setting ViewStateUserKey causes "Validation of viewstate MAC failed" errors. by VG_mnet


Status: 

Active


1
0
Sign in
to vote
Type: Bug
ID: 769494
Opened: 11/1/2012 12:28:13 PM
Access Restriction: Public
0
Workaround(s)
view
0
User(s) can reproduce this bug

Description

In order to help prevent CSRF attacks I have added the following code:
Protected Sub Page_Init(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Init
    Page.ViewStateUserKey = Session.SessionID
End Sub

And now I am getting an "Validation of viewstate MAC failed" error on many pages, in some cases consistently every time, even if my session is brand new (timeout is set to 2 hrs).

I also have code that auto-redirects to the login page after the session timeout limit is reached, so this happens while the session is still active. I also log all errors to the database with a session dump so I can see that the session was active (had data set on login page) when the error occurred.

When I remove the ViewStateUserKey setting, the error stops happening.

Why is this happening? I want to use the ViewStateUserKey setting but I don't want my users to have to deal with this error all the time.
Details
Sign in to post a comment.
Posted by VG_mnet on 1/29/2013 at 4:51 AM
I am trying to implement the code sample given, but my Master page has no "PreLoad" event so I am unable to implement that piece since I can't get access to the PreLoad event. Is there another event I could use instead?
-VG
Posted by Microsoft on 1/24/2013 at 11:47 AM
Below is an example of using ViewStateUserKey to help protect against XSRF. This is taken directly from the Web Forms templates shipped in Visual Studio 2012 but should be applicable to .NET 3.5 also.

private const string AntiXsrfTokenKey = "__AntiXsrfToken";
        private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
        private string _antiXsrfTokenValue;

        protected void Page_Init(object sender, EventArgs e)
        {
            // The code below helps to protect against XSRF attacks
            var requestCookie = Request.Cookies[AntiXsrfTokenKey];
            Guid requestCookieGuidValue;
            if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
            {
                // Use the Anti-XSRF token from the cookie
                _antiXsrfTokenValue = requestCookie.Value;
                Page.ViewStateUserKey = _antiXsrfTokenValue;
            }
            else
            {
                // Generate a new Anti-XSRF token and save to the cookie
                _antiXsrfTokenValue = Guid.NewGuid().ToString("N");
                Page.ViewStateUserKey = _antiXsrfTokenValue;

                var responseCookie = new HttpCookie(AntiXsrfTokenKey)
                {
                    HttpOnly = true,
                    Value = _antiXsrfTokenValue
                };
                if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
                {
                    responseCookie.Secure = true;
                }
                Response.Cookies.Set(responseCookie);
            }

            Page.PreLoad += master_Page_PreLoad;
        }

        protected void master_Page_PreLoad(object sender, EventArgs e)
        {
            if (!IsPostBack)
            {
                // Set Anti-XSRF token
                ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
                ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
            }
            else
            {
                // Validate the Anti-XSRF token
                if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
                    || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
                {
                    throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
                }
            }
        }
Posted by VG_mnet on 1/14/2013 at 8:37 AM
Is there any update on this? I haven't heard anything in 2 months. Thanks
-VG
Posted by Microsoft on 11/7/2012 at 2:33 AM
Thank you for submitting feedback on Visual Studio and .NET Framework. Your issue has been routed to the appropriate VS development team for investigation. We will contact you if we require any additional information.
Posted by VG_mnet on 11/5/2012 at 10:07 AM
Ugh! I am not able to reproduce this on a test server, only when we deploy to production. As soon as I set the ViewStateUserKey to Session.SessionID, our end users get the MAC validation error immediately. As soon as we remove it, it stops. I can't repro on my localhost or test site. Could this be a setting in IIS? We are on IIS6.
Posted by Microsoft on 11/2/2012 at 1:57 AM
Thank you for submitting feedback on Visual Studio and .NET Framework. We are sorry we cann't reproduce your issue. we are requesting a demo project to help us repro it. Please submit this information to us within 4 business days.
************************************************************
Please zip the file and use "FeedbackID-XXXXXX" as prefix of the file name.
************************************************************
You can use the following workspace to upload the file: https://sftus.one.microsoft.com/choosetransfer.aspx?key=9415c965-6590-4d5f-8331-614ff9c106df
Password: Z1_)G37MTk
Thanks again for your efforts and we look forward to hearing from you.
Microsoft Visual Studio Connect Support Team
Posted by Microsoft on 11/1/2012 at 12:50 PM
Thank you for your feedback, we are currently reviewing the issue you have submitted. If this issue is urgent, please contact support directly(http://support.microsoft.com)
Sign in to post a workaround.