Geek Answers Handbook

Invalid ViewState since installing ASP.NET Oracle Padding Security Vulnerability

Since the installation of the security patch for ASP.NET Oracle Padding vunerability, any user who has been late on our site receives error messages when they get to any page.

Errors registered on the server,

System.Web.UI.ViewStateException: Invalid viewstate. Client IP: xxx.xxx.xxx.xxx Port: 55796 User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0 ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6 Referer: Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl

When user errors are disabled, the user sees the following information

 Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [ViewStateException: Invalid viewstate. Client IP: xxx.xxx.xxx.xxx Port: 3588 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw Referer: Path: /] [HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.] System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118 System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13 System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238 System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5 System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90

The solution to this problem is to delete all cookies and log in, but obviously the average user will not know how to do this, and I'm worried that they will just think that our site is broken.

Is there anything I can do for this, for example, for forced people who are logged in to login again?

Thanks for any help you can be.

+4
source share
3 answers

This probably cannot be avoided. If they change the key generation / verification code, all cookies currently created will now be invalid.

You can catch the exception using the error descriptor in global.asax (or httpmodule) and try to remove the forms authentication cookie from the user's computer.

This can make work work.

+2
source

I say this without knowing it. or patch, but:

If this happens in the application, try to catch the exception (s) that cause the error page and create a custom page explaining the steps necessary to continue. If this happens on the server, there may be a whole bunch of settings (in IIS) that may or may not be used.

0
source

what you describe does not look like an invalid ViewState, but invalid cookies.

If you are sure that this is a ViewState, then they send the pages that they opened in their browsers / this is not related to cookies.

Regarding auth cookies, I would expect asp.net authorization to be redirected to your login page. Do you follow any customs with auth tickets / cookie?

0
source

More articles:


All Articles