I blogged yesterday about fixing the 'Invalid postback or callback...' problem in an ASP.NET web page. The posted solution involved programatically turning off the EnableEventValidation property for the entire page. I mentioned that there are some security issues with this approach and that caution is advised when turning off security features in any code that one writes.
Well, with a bit more digging, I have now managed to turn off event validation at the control level rather than the page level. This means that you can ensure that the page is still validated, but that a specific control does not participate in event validation. From a security perspective, this is a significant improvement on the previous solution (but still not perfect).
Very briefly, the problem we are trying to solve is that ASP.NET 2.0 validates postbacks. It does this by storing the unique ID of a control (for example a drop down list) and all of it's possible values in a hash. When the client does a postback, the runtime checks that the unique ID and value combination submitted by the client exist in the hash. If the client has changed the unique id, or changed/added any values the server will not know about it and will not be able to validate the postback. This is to prevent malicious code from spoofing a postback. (see http://odetocode.com/Blogs/scott/archive/2006/03/20/3145.aspx for more info)
With things like AJAX playing about with javascript under the covers, the potential for this happening is increased.
To prevent postback validation at a control level, one must create a custom web control. Imagine that you want to turn off event validation for a drop down list, but the drop down list exposes no property/method to turn off validation.
This can be overcome by creating a custom drop down list and ommiting the [SupportsEventValidation] attribute from the class. This attribute is in fact ommited by default, so all you actually need to do is create a custom control which inherits from System.Web.Ui.WebControls.DropDownList, remove any custom implementations (by default, Visual Studio creates an override for the RenderContents method and the Text property) and you're done!
Now use this control in place of a standard drop down list and hey presto... no more errors :-)
Showing posts with label Invalid postback or callback. Show all posts
Showing posts with label Invalid postback or callback. Show all posts
Friday, 5 September 2008
Thursday, 4 September 2008
Invalid Postback or callback argument. A code behind solution to this problem...
I have recently been taking my first tentative steps into the world of AJAX, and believe me, it's a mine field out there!!
A problem that was really bugging me was getting the infamous error:
Invalid Postback or callback argument . Event validation is enabled usingin configuration or <%@ Page EnableEventValidation="true" %>in a page. For security purposes, this feature verifies that arguments to Postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the Postback or callback data for validation.
As I did not write the code I was working with, I couldn't identify exactly which controls were causing the problem, nor did I know exactly which pages were affected. As a result adding the
EnableEventValidation="False" to the @Page tag of all the aspx files was not possible.
Luckily however, all of the pages on the site derive from a custom Page class (which inherits from System.Web.UI.Page).
This meant that I could override the EnableEventValidation property from the code behind rather than relying on finding all the page tags.
The code in the Page class goes a bit like this:
public override bool EnableEventValidation
{
get {return false;}
set {base.EnableEventValidation = value;}
}
This simply ensures that event validation is always false, regardless of what the @Page tag says!
I hope this helps someone, but it is worth pointing out one or two issues here:
For more information, you could try http://aspnet.4guysfromrolla.com/demos/printPage.aspx?path=/articles/122006-1.aspx which pointed me in the right direction for this solution. Also
http://odetocode.com/Blogs/scott/archive/2006/03/20/3145.aspx and http://odetocode.com/Blogs/scott/archive/2006/03/21/3153.aspx are very useful.
A problem that was really bugging me was getting the infamous error:
Invalid Postback or callback argument . Event validation is enabled using
As I did not write the code I was working with, I couldn't identify exactly which controls were causing the problem, nor did I know exactly which pages were affected. As a result adding the
EnableEventValidation="False" to the @Page tag of all the aspx files was not possible.
Luckily however, all of the pages on the site derive from a custom Page class (which inherits from System.Web.UI.Page).
This meant that I could override the EnableEventValidation property from the code behind rather than relying on finding all the page tags.
The code in the Page class goes a bit like this:
public override bool EnableEventValidation
{
get {return false;}
set {base.EnableEventValidation = value;}
}
This simply ensures that event validation is always false, regardless of what the @Page tag says!
I hope this helps someone, but it is worth pointing out one or two issues here:
- EventValidation is a security feature added to ASP.NET 2.0 to prevent postback spoofing. Turning it off could leave your website vulnerable to injection attacks.
- Overriding the EnableEventValidation at the base class level will ignore anything set in the @page directive. Developers may therefore believe they have told the page to do one thing and be very confused when it does not behave as expected. Event worse, they may never notice that event validation is turned off, which could pose unidentified issues when the website is live.
For more information, you could try http://aspnet.4guysfromrolla.com/demos/printPage.aspx?path=/articles/122006-1.aspx which pointed me in the right direction for this solution. Also
http://odetocode.com/Blogs/scott/archive/2006/03/20/3145.aspx and http://odetocode.com/Blogs/scott/archive/2006/03/21/3153.aspx are very useful.
Subscribe to:
Comments (Atom)