If broken it is, fix it you should

Using the powers of the debugger to solve the problems of the world - and a bag of chips    by Tess Ferrandez, ASP.NET Escalation Engineer (Microsoft)

A Case of Invalid Viewstate

A Case of Invalid Viewstate

  • Comments 38

Last week I was helping a colleague of mine with a viewstate case that turned out to be pretty interesting...

Scenario

The customer was getting events similar to the following in the eventlog and needed to know why they occurred

Event Type: Information
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event
Event ID: 1316
Date: 2007-06-11
Time: 09:48:02
User: N/A
Computer: MYMACHINE

Description:

Event code: 4009
Event message: Viewstate verification failed. Reason: The viewstate supplied failed integrity check.
Event time: 2007-06-11 09:48:02
Event time (UTC): 2007-06-11 07:48:02
Event ID: 14cc57c05e834de98c7df506a013a706
Event sequence: 10
Event occurrence: 1
Event detail code: 50203

Application information:

Application domain: /LM/w3svc/1/root/MyApp-3-128260216693527710
Trust level: Full
Application Virtual Path: /MyApp
Application Path: c:\inetpub\wwwroot\MyApp\
Machine name: MYMACHINE

Process information:

Process ID: 3640
Process name: w3wp.exe
Account name: NT AUTHORITY\NETWORK SERVICE
Request information:
Request URL: http://mymachine/MyApp/MyWebForm.aspx
Request path: /TestBadViewstate/WebForm1.aspx
User host address: 127.0.0.1
User:
Is authenticated: False
Authentication Type:
Thread account name: NT AUTHORITY\NETWORK SERVICE

ViewStateException information:

Exception message: Invalid viewstate.
Client IP: 127.0.0.1
Port: 14644
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04324.17; InfoPath.2)
PersistedState:
dDwxOTM2NzUxODMzO3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDE+Oz47bDx0PHA8bDxfX0hlYWRpbmc7PjtsPENvdXJzZSBTZWFyY2g7Pj47bDxpPDE+Oz47bDx0PDtsPGk8MT47aTwzPjs+O2w...
Referer: http://SomeThirdPartySite.com/SomePage.htm
Path: /MyApp/MyWebForm.aspx

Custom event details:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

And the callstack reported was:

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> 
configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]

System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +119
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +252
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState) +37
System.Web.UI.HiddenFieldPageStatePersister.Load() +222
System.Web.UI.Page.LoadPageStateFromPersistenceMedium() +80
System.Web.UI.Page.LoadAllState() +35
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +9041
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +217
System.Web.UI.Page.ProcessRequest() +85
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +20
System.Web.UI.Page.ProcessRequest(HttpContext context) +110
ASP.MyPage_aspx.ProcessRequest(HttpContext context) +30
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +405
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +65

 

 

Troubleshooting

If you get viewstate errors on 1.1. and dont get events like the above, make sure that you have SP1 installed or at least a version of 1.1 later than http://support.microsoft.com/?id=831150  since this hotfix introduced the type of logging above, which is crucial to troubleshooting most viewstate errors.

Viewstate, as most of you know, is a Base64 encoded string containing information about the state of the controls on the webform.  To avoid tampering the viewstate is validated against the machine key, pagename etc. and if the string is either corrupt in some way such that it cant be Base64 decoded or such that it doesn't pass validation you will get an error like the above.

Typically viewstate errors will occur if

  • You're on a web farm and the machine keys are not consistent on all nodes
  • You're on a web farm and the page is slightly different on one node than ot the others, for example if one node is upgraded to 2.0 and the other is still 1.1 or if some controls used on the page are built differently

For a more comprehensive list see: http://support.microsoft.com/?id=829743

 

In this particular case they had just upgraded to 2.0 from 1.1, they were not running on a web farm.  The error occurred intermittently and only on two specific pages, but most of the time these pages were served just fine without viewstate errors.

Since it is very unusual for errors like this to occur in a non-web farm scenario, especially intermittently, this issue was very curious.   I have seen that happen sometimes when the client was a mobile device and the viewstate was very large as some mobile devices will only send x kb of data so the issue there would be that the viewstate was corrupted because not all the viewstate was sent.   In this case the client was IE 7.0 so no such luck...

I used Fritz Onion's viewstatedecoderr to decode the viewstate to verify that it wasn't corrupted and sure enough the viewstate was just fine, the contents seemed to be fairly standard textboxes etc.

Lucky break

Lucky for me, and for them:)  I have seen enough encoded viewstate to know what viewstate is supposed to look like, so when i took another look at the eventlog entry i noticed that the persisted state started with dDw...    to most people this probably just looks like mumbojumbo but I happen to know that viewstate on 2.0 is supposed to start with /wE...  in fact when I browsed their site on the internet I could indeed see that the typical viewstate for these affected pages (from the hidden viewstate field in view source) was perfectly normal 2.0 viewstate while the dDw... that was sent to the page is typical for 1.1 viewstate.

Knowing this, the question is now, where does this 1.1. viewstate come from?   This is where the eventlog entry comes in handy again... and if you have jumped ahead a bit you have probably noticed by now that the referer is a htm page http://somethirdpartysite.com/SomePage.htm, in other words. there is nothing wrong with the site itself, the problem is that somehow this 3rd party site is posting 1.1. viewstate to the page, and of course that won't validate well against the new 2.0 page.

Browsing to the 3rd party site and looking at the source for the htm file we can see what we already suspected... the page contains a form, with a hidden viewstate field and the post action for the form is our aspx page, so this 3rd party site apparently did a bit of a hack, copying the viewstate while this site was still 1.1. and posting that viewstate to the form... 

Technically, noone but the aspx page itself should really be allowed to post to the aspx page, so anytime the referer of a post to the aspx page is someone other than itself that is bad, and again, to guard against things like this the viewstate validation exists, but of course it might prove to cause a bit of a troubleshooting headache for you.

 

Conclusion

The solution in this case was to talk to the 3rd party site, let them know about the upgrade and ask them to avoid posting to the site but rather link to the site or redirect to it since there is no way of knowing how long viewstate will be valid as it can change with any type of upgrade to the page.

If there is a benefit to having the 3rd party site being able to post data and show the results in their proprietary format, a web service would be a pretty good solution.

 

Until next time

Tess





  • Hi Tess,

    We are also facing the problem with ViewState corruption.

    Our scenario is as follows :-

    We login to mobDefault.aspx.

    This page get refresh every 60 seconds. We have used following tags in <head> tag of the page

       <META HTTP-EQUIV="REFRESH" CONTENT="60">

       <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">

    (we have also tried javascript setTimeout)

    We get the ViewState corruption error on the first Refresh

    but that if we refresh the page manually the error dosen't occur.

    We have also noticed that error occurs only if we leave the page idle till the First Auto Refresh event fires. But if click on some other link and then come back to orignial position the Viewstate error is not shown.

    Just FYI.

    * We are not using WebFarm.

    * There is no reference to any 3rd party control or Page.

    * This error is shown only on Mobile Browser (I.E 7.0)

    * It work fine on Opera Mobile and also Desktop Browser.

    Error is as follows:

    Server Error in '/Caveman' Application.

    Validation of viewstate MAC failed....................

    ..................................................................................................................

    ...................

    Stack Trace:

    [HttpException (0x80004005): Unable to validate data.]

      System.Web.Configuration.MachineKeySection.GetDecodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Int32& dataLength) +289

      System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +140

    [ViewStateException: Invalid viewstate.

    Client IP: 82.132.136.161

    Port: 41776

    User-Agent: Xda_orbit_2/240x320 (compatible; MSIE 6.0; Windows CE; IEMobile 7.11)

    ViewState: /wEXAQUDX19QD2QPBhzGKXiEkcuIZq7MBnDmV2mxi/PjOP9yPINPDPrw

    Referer:

    Path: /Caveman/MobilePages/mobDefault.aspx]

    [HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]

      System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +106

      System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +14

      System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +242

      System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +4

      System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState) +37

      System.Web.UI.HiddenFieldPageStatePersister.Load() +207

      System.Web.UI.Page.LoadPageStateFromPersistenceMedium() +105

      System.Web.UI.Page.LoadAllState() +43

      System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785

      System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242

      System.Web.UI.Page.ProcessRequest() +80

      System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21

      System.Web.UI.Page.ProcessRequest(HttpContext context) +49

      ASP.mobilepages_mobdefault_aspx.ProcessRequest(HttpContext context) +37

      System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181

      System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

    Version Information: Microsoft .NET Framework Version:2.0.50727.3082; ASP.NET Version:2.0.50727.3082

    thanks in advance

    Regards

    Abhijit

  • Tess,

    We are seeing the same this - our viewstate begins with /wEP - but right after this error we have a second error

    (Server001) - Large event record (33932 bytes): possible attack on event log

    Could our viewstate be too large?

    Thanks,

    Doug

  • That's a definite possiiblity:)  There is no "real" limits on how large it can be, but given that message I would do view source on the page and save out the viewstate to check how big it is.  If the viewstate is very big it can cause various issues like bandwidth issues, clients disconnecting because it takes to long to download etc.

    One of the most common viewstate exceptions is actually client disconnect errors where clients shut down the browser or press stop before the full viewstate is copied down, but you can see that in the error message

  • Thanks for the great post.  This for sure enlight me in the mystery world of the viewstate.  I was still under the belief that the browser were all using port 80 but now that I read your post I understand a bit better.  

    I am also having an issue with the viewstate and this have been going on for years and I never figured out what is really going on or never find a good resource that was able to answer.   My site is hosted on a share environment(no web farm) so I cannot access the Log Viewer.  However I get the errors sent by email each time a problem occur.  I am not able to reproduce the error and all I can say is that I received many errors like this every day.  My thought was that some funny guy somewhere in india or else was trying to hack my site but maybe it's not the case.  Anyway I would appreciate if I could have you opinion on this.

    Error:

    =============

    Message

    Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

    Source

    System.Web

    StackTrace

    at System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) at System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) at System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) at System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState) at System.Web.UI.HiddenFieldPageStatePersister.Load() at System.Web.UI.Page.LoadPageStateFromPersistenceMedium() at System.Web.UI.Page.LoadAllState() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.company_contact_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    Inner Exception

    Invalid viewstate. Client IP: 195.216.197.102 Port: 2777 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705; .NET CLR 1.1.4322) ViewState: /wEPDwUKMTA0ODg1NDczOA9kFgICAw9kFjwCAw9kFgICBA88KwAJAgAPFgYeDFNlbGVjdGVkTm9kZQUOTmF2MV9teVRyZWV0NDceDU5ldmVyRXhwYW5kZWRkHgtfIURhdGFCb3VuZGdkCBQrAAIFAzA6MBQrAAIWEB4EVGV4dAUESG9tZR4LTmF2aWdhdGVVcmwFDn4vZGVmYXVsdC5hc3B4HgxTZWxlY3RBY3Rpb24LKi5TeXN0ZW0uV2ViLlVJLldlYkNvbnRyb2xzLlRyZWVOb2RlU2VsZWN0QWN0aW9uAh4IRGF0YVBhdGgFIC8qW3Bvc2l0aW9uKCk9MV0vKltwb3NpdGlvbigpPTFdHglEYXRhQm91bmRnHhBQb3B1bGF0ZU9uRGVtYW5kaB4IRXhwYW5kZWRnHglQb3B1bGF0ZWRnFCsA Referer: http://www.clemex.com/Company/Contact.aspx Path: /Company/Contact.aspx

    =============

  • The thread is great, but it goes into tricky details, and does not explain some simple cases, like one machine, application pool.

    For a novice getting "Viewstate verification failed. Reason: The viewstate supplied failed integrity check." I would recommend reading http://www.codeproject.com/kb/aspnet/machineKey.aspx and http://msdn.microsoft.com/en-us/library/ms998288.aspx

  • Do you know much about the ASP.NET Oracle Padding Vulnerability Security Patch and how that has affected viewstate processing?

    Before the patch was applied all our Invalid Viewstates spread out over the 100 websites we've developed and host were on ScriptResource.axd and WebResource.axd handlers (error message only says invalid viewstate, but contians stacktraces) broken out by browser and error count as follows:

    Pre-patch (2009-05-01 -> 2010-09-29)

    IE8 5222

    IE7 363

    IE6 171

    Firefox 9

    Opera 0

    Safari 0

    Chrome 0

    Our underatanding is that there was a IE8 bug (now fixed but people may not have the patch) with speculative downloading of scripts that causes an invalid viewstate error but the scripts still get downloaded and has no effect on end user experience.

    However, after the patch was applied the invalid viewstates no longer occurrs on the script handlers and instead occurs on aspx pages (error message now contains client ip, port, useragent etc with no stacktrace) broken out by browser and error count below:

    Post-patch (2010-09-29 -> 2011-01-19)

    IE8 565

    IE7 179

    IE6 2420

    Firefox 358

    Opera 231

    Safari 223

    Chrome 110

    Thanks,

    Michael

    csolutions.co.nz

  • Removing " action="pagename....aspx" " from form tag fixed this error: Event message: Viewstate verification failed. Reason: Viewstate was invalid.

  • let me now about this error message problem  please solve and tell me.

    Event code: 3005

    Event message: An unhandled exception has occurred.

    Event time: 11/10/2012 1:47:06 AM

    Event time (UTC): 11/9/2012 8:17:06 PM

    Event ID: 31884226b9af4854a5d30df7b9e7c0e0

    Event sequence: 18525

    Event occurrence: 2

    Event detail code: 0

    Process information:

       Process ID: 6200

       Process name: w3wp.exe

       Account name: NT AUTHORITY\NETWORK SERVICE

    Exception information:

       Exception type: FormatException

       Exception message: Input string was not in a correct format.

Page 3 of 3 (38 items) 123
Leave a Comment
  • Please add 6 and 8 and type the answer here:
  • Post