A Case of Invalid Viewstate

Last week I was helping a colleague of mine with a viewstate case that turned out to be pretty interesting...

Scenario

The customer was getting events similar to the following in the eventlog and needed to know why they occurred

 Event Type: Information
Event Source: ASP.NET 2.0.50727.0
Event Category: Web Event 
Event ID: 1316
Date: 2007-06-11
Time: 09:48:02
User: N/A
Computer: MYMACHINE 
Description: 

Event code: 4009 
Event message: Viewstate verification failed. Reason: The viewstate supplied failed integrity check. 
Event time: 2007-06-11 09:48:02 
Event time (UTC): 2007-06-11 07:48:02 
Event ID: 14cc57c05e834de98c7df506a013a706 
Event sequence: 10 
Event occurrence: 1 
Event detail code: 50203 


Application information: 


Application domain: /LM/w3svc/1/root/MyApp-3-128260216693527710 
Trust level: Full 
Application Virtual Path: /MyApp 
Application Path: c:\inetpub\wwwroot\MyApp\ 
Machine name: MYMACHINE 


Process information: 


Process ID: 3640 
Process name: w3wp.exe 
Account name: NT AUTHORITY\NETWORK SERVICE 
Request information: 
Request URL: https://mymachine/MyApp/MyWebForm.aspx
Request path: /TestBadViewstate/WebForm1.aspx 
User host address: 127.0.0.1 
User: 
Is authenticated: False 
Authentication Type: 
Thread account name: NT AUTHORITY\NETWORK SERVICE 


ViewStateException information: 


Exception message: Invalid viewstate. 
Client IP: 127.0.0.1 
Port: 14644 
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727; .NET CLR 1.1.4322; .NET CLR 3.0.04324.17; InfoPath.2) 
PersistedState: 
dDwxOTM2NzUxODMzO3Q8O2w8aTwxPjs+O2w8dDw7bDxpPDE+Oz47bDx0PHA8bDxfX0hlYWRpbmc7PjtsPENvdXJzZSBTZWFyY2g7Pj47bDxpPDE+Oz47bDx0PDtsPGk8MT47aTwzPjs+O2w...
Referer: https://SomeThirdPartySite.com/SomePage.htm
Path: /MyApp/MyWebForm.aspx 


Custom event details: 
For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp. 

 

And the callstack reported was:

 [HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> 
configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]

System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +119
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +252
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState) +37
System.Web.UI.HiddenFieldPageStatePersister.Load() +222
System.Web.UI.Page.LoadPageStateFromPersistenceMedium() +80
System.Web.UI.Page.LoadAllState() +35
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +9041
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +217
System.Web.UI.Page.ProcessRequest() +85
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +20
System.Web.UI.Page.ProcessRequest(HttpContext context) +110
ASP.MyPage_aspx.ProcessRequest(HttpContext context) +30
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +405
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +65
 

 

Troubleshooting

If you get viewstate errors on 1.1. and dont get events like the above, make sure that you have SP1 installed or at least a version of 1.1 later than https://support.microsoft.com/?id=831150  since this hotfix introduced the type of logging above, which is crucial to troubleshooting most viewstate errors.

Viewstate, as most of you know, is a Base64 encoded string containing information about the state of the controls on the webform.  To avoid tampering the viewstate is validated against the machine key, pagename etc. and if the string is either corrupt in some way such that it cant be Base64 decoded or such that it doesn't pass validation you will get an error like the above.

Typically viewstate errors will occur if

• You're on a web farm and the machine keys are not consistent on all nodes
• You're on a web farm and the page is slightly different on one node than ot the others, for example if one node is upgraded to 2.0 and the other is still 1.1 or if some controls used on the page are built differently

For a more comprehensive list see: https://support.microsoft.com/?id=829743

 

In this particular case they had just upgraded to 2.0 from 1.1, they were not running on a web farm.  The error occurred intermittently and only on two specific pages, but most of the time these pages were served just fine without viewstate errors.

Since it is very unusual for errors like this to occur in a non-web farm scenario, especially intermittently, this issue was very curious.   I have seen that happen sometimes when the client was a mobile device and the viewstate was very large as some mobile devices will only send x kb of data so the issue there would be that the viewstate was corrupted because not all the viewstate was sent.   In this case the client was IE 7.0 so no such luck...

I used Fritz Onion's viewstatedecoderr to decode the viewstate to verify that it wasn't corrupted and sure enough the viewstate was just fine, the contents seemed to be fairly standard textboxes etc.

Lucky break

Lucky for me, and for them:)  I have seen enough encoded viewstate to know what viewstate is supposed to look like, so when i took another look at the eventlog entry i noticed that the persisted state started with dDw...    to most people this probably just looks like mumbojumbo but I happen to know that viewstate on 2.0 is supposed to start with /wE...  in fact when I browsed their site on the internet I could indeed see that the typical viewstate for these affected pages (from the hidden viewstate field in view source) was perfectly normal 2.0 viewstate while the dDw... that was sent to the page is typical for 1.1 viewstate.

Knowing this, the question is now, where does this 1.1. viewstate come from?   This is where the eventlog entry comes in handy again... and if you have jumped ahead a bit you have probably noticed by now that the referer is a htm page https://somethirdpartysite.com/SomePage.htm, in other words. there is nothing wrong with the site itself, the problem is that somehow this 3rd party site is posting 1.1. viewstate to the page, and of course that won't validate well against the new 2.0 page.

Browsing to the 3rd party site and looking at the source for the htm file we can see what we already suspected... the page contains a form, with a hidden viewstate field and the post action for the form is our aspx page, so this 3rd party site apparently did a bit of a hack, copying the viewstate while this site was still 1.1. and posting that viewstate to the form... 

Technically, noone but the aspx page itself should really be allowed to post to the aspx page, so anytime the referer of a post to the aspx page is someone other than itself that is bad, and again, to guard against things like this the viewstate validation exists, but of course it might prove to cause a bit of a troubleshooting headache for you.

 

Conclusion

The solution in this case was to talk to the 3rd party site, let them know about the upgrade and ask them to avoid posting to the site but rather link to the site or redirect to it since there is no way of knowing how long viewstate will be valid as it can change with any type of upgrade to the page.

If there is a benefit to having the 3rd party site being able to post data and show the results in their proprietary format, a web service would be a pretty good solution.

 

Until next time

Tess

Comments

• Anonymous
  June 11, 2007
  As a regular reader of your blog, I was interested in read about this viewstate problem, as we were experience a very, very similar problem last week. The more I read, the more it sounded like our problem. The funny thing is it turned out to be us, and we had contacted PSS over this exact problem. Anyway, much thanks for your assistance is solving this problem and for the tips on decoding viewstate and different prefixing of viewstate in different .NET versions.

• Anonymous
  June 11, 2007
  :) that is funny,  I hope you don't mind me sharing the story...   I thought it was a really interesting case and made for a good gateway to discussing other common viewstate issues.

• Anonymous
  June 12, 2007
  Apple Safari for Windows and Microsoft Silverlight [Via: interactive ] Refactoring Dumb, Dumber, Dumbest...

• Anonymous
  June 13, 2007
  Last update: June 13 , 2007 Document version 0.6 Preface If you have something to add, or want to take

• Anonymous
  August 12, 2007
  The comment has been removed

• Anonymous
  August 12, 2007
  The comment has been removed

• Anonymous
  August 12, 2007
  The comment has been removed

• Anonymous
  August 24, 2007
  I am in the same boat as William, except that my viewstate does start with /wEP. It was a postback from one of my own pages. Interestingly enough, the viewstate from the error would only decode properly using the 2.0 version of fritz's viewstate decoder. I too am running Ajax, but no third party control on the page in question. Here is my exact viewstate, there is nothing sensitive in it, so decode away: /wEPDwUJNjIxMzEzMTU0D2QWAmYPZBYCAgMPZBYCAgMPZBYCAgkPZBYCZg9kFgJmDw8WAh4ISW1hZ2VVcmwFKy4uL0FwcF9UaGVtZXMvZGVmYXVsdC9pbWFnZXMvbmVlZF9mbGFzaC5wbmdkZGQyhrbmsVJZRX/8lG0EOlJrO+vVYg==

• Anonymous
  August 26, 2007
  The comment has been removed

• Anonymous
  August 27, 2007
  Unfortunately I do not have one to remove. :( The only 3rd party control on this page's control tree is an atlas scriptmanager.

• Anonymous
  August 27, 2007
  I just noticed. Every single error that this occurred on, was from Safari on a Mac. Not sure it is relevant. Just seems odd.

• Anonymous
  August 27, 2007
  Hi Tim, The comment regarding compiled against 1.1. was based on that it was the same issue as william reported. The fact that it always occurrs from Safari on Mac is definitely interesting,  I'm not too familiar with the details of this browser but it might be that this page has very large viewstate and that there is a limit to how much Safari will post,  a lot of browsers have such a limit, especially on mobile devices (not saying that Mac is a mobile device though:)),  in any case i would say it is extremely relevant unless your site is specifically targeted to users on Mac so that the safari browser for Mac is highly represented amongst the clients.

• Anonymous
  August 27, 2007
  You are correct Tess, I think that is what I am experiencing. This is the user agent for every single error: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/522.11.1 (KHTML, like Gecko) Version/3.0.3 Safari/522.12.1 Turns out they are using the beta 3 of Safari which we did not test against. The viewstate for the page in question is quite large. I am going to try to figure out a way around this.

• Anonymous
  September 17, 2007
  The comment has been removed

• Anonymous
  September 17, 2007
  The port is the port used by the client to communicate with the server, which uniquely identifies the client.   For example if you have two browsers open going to the same site, each of them will open its own socket and get its own port (typically a port number over 5000) and communicate over this. Practically for troubleshooting viewstate errors knowing the client port is only interesting if you are grabbing network traces as well. The fact that the client ip is localhost is a bit curious, but I am guessing that is because you are testing from the server itself... Thanks Tess

• Anonymous
  October 27, 2007
  I am encountering a strange error with viewstate on my ASP.net 2.0 app. This is running on a Windows 2003 R2 Server non-web farm environment (IIS 6.0). Here is the gist of it.  I have a default.aspx page that is the login page of the application.  I can login with my userid and password, click 'submit' and I am logged in.  Now I click on 'Logout' from within the app.  This logs me out and the app does a Response.Redirect to the default.aspx (which is the login page).   Now I do nothing on this page for (approx) 1 hour.  When I then try to login, I get the viewstate error.  This occurs deterministically. Any clues? -- WP

• Anonymous
  April 15, 2008
  Try clearing your browsers cache / temporary internet files (especially you, William). This solved the problem for me. Apparently my browser cached a form containing a no longer valid vievstate. So when the form was submitted it gave this error. A Ctrl + F5 (tells IE to bypass all caches and proxies and go grab the latest version) on the form itself actually solved it, but clearing all temporary internet files should also do the trick.

• Anonymous
  April 24, 2008
  Hi Tess, Great post, cleared a lot of concepts in my mind. I am getting a weird intermittent Invalid_Viewstate error. Some of our .NET 1.1 applications throw these intermittent viewstate errors and the viewstate in the exception all starts with a /we. I was able to decode the viewstate using the 2.0 decoder as well. We have no third party sites linking to our web applications. We are running on a web farm, and the machine validation keys are the same for the web servers. Can you suggest what else we should be looking for?

• Anonymous
  May 22, 2008
  The comment has been removed

• Anonymous
  June 17, 2008
  Safari will post viewstate from a previous page on a redirect.  At the suggestion of another forum, we explicitly turn off auto-fill on the hidden fields (__VIEWSTATE, etc; document element .setAttribute('autocomplete', 'off')) and in code behind we've set: HttpContext.Current.Response.Cache.SetNoStore() But we still get viewstate content from Safari that is not the viewstate we served.  All other form fields are from the right page; it's the content of the viewstate that is incorrect (i.e posted to page A, but clearly belonging to page B).

• Anonymous
  June 17, 2008
  not exactly sure how that could be.  the viewstate is just a form field so unless there is a transfer or some redirect i dont see how the form fields would swithc pages.  Would be interesting to see in the eventlogs who it lists as the referrer to see if it is a different page...

• Anonymous
  June 20, 2008
  Its not that much clear. can u tell clearly, wat to do when we get issue like Viewstate verification failed. Reason: The viewstate supplied failed integrity check.

• Anonymous
  September 02, 2008
  FYI: I vote no to it helping solve my problem, but I learnt something new which is more valuable. You should have a "Did this post benefit you?" rather than did resolve the issue.

• Anonymous
  September 19, 2008
  The comment has been removed

• Anonymous
  December 04, 2008
  I was having a problem with the viewstate as well.  I am fairly new to .net and was having a difficult go at the viewstate error.  After attempting a few fixes I read online, I noticed that I had a warning from my form tag in my html.   I had forgotten that I was using a masterpage, which already had the form tag in it.  I was running the program on my pc and did not know it was a problem till I moved the app to a more formal dev server.

• Anonymous
  December 12, 2008
  Wow, brains and beauty! two reasons while i'll be visiting your blog again...:-)

• Anonymous
  December 23, 2008
  If you work with web sites in a complex/multi server environment you might be familiar with this error

• Anonymous
  January 06, 2009
  The comments in here helped me to nail down my issue. In my case the FORM tag had the action URL to be a different one other than the current page where the postbacks meant to perform certrain actions. Once having the current page in that place, all is working fine now. But I still have a doubt that these changes are not required for a Windows 2003 Enterprise edition+SP2. This error was readily reproduced on a W2K3 R2 standard edition. Are there any settings that one need to look out in the R2 editions to correct this issue?

• Anonymous
  January 06, 2009
  The comments in here helped me to nail down my issue. In my case the FORM tag had the action URL to be a different one other than the current page where the postbacks meant to perform certrain actions. Once having the current page in that place, all is working fine now. But I still have a doubt that these changes are not required for a Windows 2003 Enterprise edition+SP2. This error was readily reproduced on a W2K3 R2 standard edition. Are there any settings that one need to look out in the R2 editions to correct this issue?

• Anonymous
  January 06, 2009
  Sridhar, This should not be platform dependent... Tess

• Anonymous
  March 03, 2009
  ok.. May be you can comemnt on this.. I wish there is a method for page object or a static method some where in the library that helps me call something like IsValidViewState()..(Just like how they have introduced TryParse...) That we we can ignore through code as oppposed to throwing an exception..(I can understand why they have this exception thrown) I wish there is an event that fires before this exception is thrown so that we get a chance to check for it as devolopers...Reson being there are so many spasmmers out there whose sole purpose seems to be to just cause this exception..I am sure you would agree with me that cause any exceptions to happen like very few seconds..is not good...........(I know there are other mechanisms like ip blocking and smart defense ect...) I wish this is true for validation exception when some one enters html in querysttring.....These exceptions are such a pain..Though I have not seen yet any performance impact because of these exceptions by spasmer and bots...I am just curious what your thoughts are

• Anonymous
  April 22, 2009
  The comment has been removed

• Anonymous
  December 18, 2009
  Tess, We are seeing the same this - our viewstate begins with /wEP - but right after this error we have a second error (Server001) - Large event record (33932 bytes): possible attack on event log Could our viewstate be too large? Thanks, Doug

• Anonymous
  December 20, 2009
  That's a definite possiiblity:)  There is no "real" limits on how large it can be, but given that message I would do view source on the page and save out the viewstate to check how big it is.  If the viewstate is very big it can cause various issues like bandwidth issues, clients disconnecting because it takes to long to download etc. One of the most common viewstate exceptions is actually client disconnect errors where clients shut down the browser or press stop before the full viewstate is copied down, but you can see that in the error message

• Anonymous
  February 04, 2010
  The comment has been removed

• Anonymous
  March 23, 2010
  The thread is great, but it goes into tricky details, and does not explain some simple cases, like one machine, application pool. For a novice getting "Viewstate verification failed. Reason: The viewstate supplied failed integrity check." I would recommend reading http://www.codeproject.com/kb/aspnet/machineKey.aspx and http://msdn.microsoft.com/en-us/library/ms998288.aspx

• Anonymous
  January 18, 2011
  The comment has been removed

• Anonymous
  March 09, 2011
  The comment has been removed

• Anonymous
  November 09, 2012
  let me now about this error message problem  please solve and tell me. Event code: 3005 Event message: An unhandled exception has occurred. Event time: 11/10/2012 1:47:06 AM Event time (UTC): 11/9/2012 8:17:06 PM Event ID: 31884226b9af4854a5d30df7b9e7c0e0 Event sequence: 18525 Event occurrence: 2 Event detail code: 0 Process information:    Process ID: 6200    Process name: w3wp.exe    Account name: NT AUTHORITYNETWORK SERVICE Exception information:    Exception type: FormatException    Exception message: Input string was not in a correct format.

• Anonymous
  February 14, 2013
  Hi Tess, What if the 3rd party is an e-commerce payment portal trying to use your site's payment confirmation page and you (tried) to remove all references to __viewstate?