Undocumented Security 'Feature' in ASP.net
-
Event validation is used in ASP.Net to make sure that the browser that issued the control event handler call, is the same browser that was issued the control in the first place. This is a pretty good feature because it prevents some types of XSS attacks, but it also results in a weird bug that took me about a week to figure out. I began to get this error message on my page whenever I clicked an ImageButton that was in a user control:
Invalid postback or callback argument. Event validation is enabled using in configuration or <%@ page enableeventvalidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
That makes it sound like you can just turn off event validation or 'register' the event and it will work, but turning off the validation opens you up to the security issue, so I didn't want to do that. Registering the event just didn't work. I wanted to find out why the page worked fine for months and then suddenly was having this problem. The answer: apparently you can't have two different controls pointed at the same code-behind event handler. I had two buttons which did the same thing, so I thought it would be efficient to assign them both the same event handler. Big No-no. In a Windows application this idea works wonderfully, and has saved me a lot of time, but it's completely broken in ASP.Net pages. What I had to do was set up a special handler for each of my duplicate buttons and those event handlers call the main one in the code-behind page. Very strange overall, but I see a lot of folks out there having trouble with this error, and I'm sure somebody has done the same thing I did. The error can be caused by other mistakes, but those are more obvious.
"Quality Software since 1983!" http://www.smoothjazzy.com/ - see the "Programming" section for (freeware) JazzySiteMaps, a simple application to generate .Net and Google-style sitemaps!
-
Event validation is used in ASP.Net to make sure that the browser that issued the control event handler call, is the same browser that was issued the control in the first place. This is a pretty good feature because it prevents some types of XSS attacks, but it also results in a weird bug that took me about a week to figure out. I began to get this error message on my page whenever I clicked an ImageButton that was in a user control:
Invalid postback or callback argument. Event validation is enabled using in configuration or <%@ page enableeventvalidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
That makes it sound like you can just turn off event validation or 'register' the event and it will work, but turning off the validation opens you up to the security issue, so I didn't want to do that. Registering the event just didn't work. I wanted to find out why the page worked fine for months and then suddenly was having this problem. The answer: apparently you can't have two different controls pointed at the same code-behind event handler. I had two buttons which did the same thing, so I thought it would be efficient to assign them both the same event handler. Big No-no. In a Windows application this idea works wonderfully, and has saved me a lot of time, but it's completely broken in ASP.Net pages. What I had to do was set up a special handler for each of my duplicate buttons and those event handlers call the main one in the code-behind page. Very strange overall, but I see a lot of folks out there having trouble with this error, and I'm sure somebody has done the same thing I did. The error can be caused by other mistakes, but those are more obvious.
"Quality Software since 1983!" http://www.smoothjazzy.com/ - see the "Programming" section for (freeware) JazzySiteMaps, a simple application to generate .Net and Google-style sitemaps!
Jasmine2501 wrote:
The answer: apparently you can't have two different controls pointed at the same code-behind event handler.
Works fine with me, be it Buttons, LinkButtons or ImageButtons you can even mix them, if possible, for example you can have the same click event handler for a Button and a LinkButton (ImageButtons have a different type of argument). I remember stumbling across this problem once, but since I was working on an intranet website, and had neither found any usable information on the problem, nor the time to continue searching, I decided to handle it the easy way, and turned off event validation. Also that was the only time, so I don't really know what the real problem could have been. But assigning one event handler to two different controls alone is not the source of the issue (though it could be a part of it). So by using different event handlers for each control you only treat the symptom, but do not cure the illness. Like I did back then in a very unprofessional way...
-
Jasmine2501 wrote:
The answer: apparently you can't have two different controls pointed at the same code-behind event handler.
Works fine with me, be it Buttons, LinkButtons or ImageButtons you can even mix them, if possible, for example you can have the same click event handler for a Button and a LinkButton (ImageButtons have a different type of argument). I remember stumbling across this problem once, but since I was working on an intranet website, and had neither found any usable information on the problem, nor the time to continue searching, I decided to handle it the easy way, and turned off event validation. Also that was the only time, so I don't really know what the real problem could have been. But assigning one event handler to two different controls alone is not the source of the issue (though it could be a part of it). So by using different event handlers for each control you only treat the symptom, but do not cure the illness. Like I did back then in a very unprofessional way...
It could be possible that you are in a weird 'in-between' period. When I first made that change, the site worked fine. After a while it failed miserably. I am not sure what triggered the failure, because I was working on another site (and not changing the 'broken' site) for almost a week when the error popped up for one of my users. Then I went to test it and it was completely reliably broken on multiple clients. I can create a page that will have the problem reliably. I suppose it could be a problem on my server. All I know is that the problem was completely reproducible, and it went away when I fixed the issue with duplicate event handler calls. As I mentioned, I had been using that technique with Windoze applications without any problem, so I didn't see an issue doing it with my web page. I made the changes, tested them, uploaded them to the server, tested them there, and went on my merry way. A week later one of my members called me on the phone, wicked pissed off about the broken page. I explained that I hadn't changed anything but would look into it, gave them a temporary workaround, and proceeded to test the pages again... all buttons with a duplicate handler were broken. It's all very strange, but I figured I'd let people know that it's something to look for if they see this error. I have two toolbars that are identical, at the top and bottom of the page, simply for convenience since the page is about two screens high. The correct way to do that is to use the same event handlers for each duplicate button, but I had to do a workaround. That's just the way it goes I guess.
"Quality Software since 1983!"
http://www.smoothjazzy.com/ - see the "Programming" section for (freeware) JazzySiteMaps, a simple application to generate .Net and Google-style sitemaps! -
Event validation is used in ASP.Net to make sure that the browser that issued the control event handler call, is the same browser that was issued the control in the first place. This is a pretty good feature because it prevents some types of XSS attacks, but it also results in a weird bug that took me about a week to figure out. I began to get this error message on my page whenever I clicked an ImageButton that was in a user control:
Invalid postback or callback argument. Event validation is enabled using in configuration or <%@ page enableeventvalidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.
That makes it sound like you can just turn off event validation or 'register' the event and it will work, but turning off the validation opens you up to the security issue, so I didn't want to do that. Registering the event just didn't work. I wanted to find out why the page worked fine for months and then suddenly was having this problem. The answer: apparently you can't have two different controls pointed at the same code-behind event handler. I had two buttons which did the same thing, so I thought it would be efficient to assign them both the same event handler. Big No-no. In a Windows application this idea works wonderfully, and has saved me a lot of time, but it's completely broken in ASP.Net pages. What I had to do was set up a special handler for each of my duplicate buttons and those event handlers call the main one in the code-behind page. Very strange overall, but I see a lot of folks out there having trouble with this error, and I'm sure somebody has done the same thing I did. The error can be caused by other mistakes, but those are more obvious.
"Quality Software since 1983!" http://www.smoothjazzy.com/ - see the "Programming" section for (freeware) JazzySiteMaps, a simple application to generate .Net and Google-style sitemaps!
Wrong answer i'm afraid. I guarantee you that something changed that affected your application - be it some configuration or code. The very ASP.NET page im working on at the moment has code like this:
- A
- B
- C
...etc --- How to get answers to your questions[^]
-
Wrong answer i'm afraid. I guarantee you that something changed that affected your application - be it some configuration or code. The very ASP.NET page im working on at the moment has code like this:
- A
- B
- C
...etc --- How to get answers to your questions[^]
All I'm doing is saying what happened and what caused it. You're free to disagree with me if you like, but that's what happened. Could have something to do with the fact I'm using a User Control, but I don't know. Also, you could have event validation turned off. I'm not sure why this happens in my site and not in yours, but it happens, and it's reproducible. If I add the double event handler call, the page breaks. All I'm saying is that, if you are having this problem, this is something to look at. I'm not garaunteeing it will fix the problem, because I know this error can be caused by a whole host of other stuff. All I know is that I don't have to fix anything else to get the page to work correctly. I wish I could get help debugging it, because I would like it to work right, but it's on a secure part of my site (not https, just password-protected).
"Quality Software since 1983!"
http://www.smoothjazzy.com/ - see the "Programming" section for (freeware) JazzySiteMaps, a simple application to generate .Net and Google-style sitemaps!