Security :: Postbacks With Authentication Causing Errors?
Jan 28, 2010
After adding personalization and authentication to my site, I was getting pitched out of my application( which is on a hosted server), and sent back to the log in screen . I disabled authentication to see if I could figure out what was going on. I found that
I was getting a system error:
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
This error has been reported elsewhere [URL] so I made the following change to my web.config
This seems to have worked to a point, because with authentication DISABLED, I no longer get the error. But when I RE_ENABLE authentication, I get pitched out randomly back to the login screen. Time out is not an issue. It only happens when I move very quickly through screens that are doing a lot of postbacks.
This is the authentication stuff from my web.config
We have an ASP.NET page which uses an update panel for partial page postbacks. On the server side, the postback performs some database work and updates several UI elements. The database code is all contained in several transactions, so the state will still be consistent if an exception is thrown. We're working on some error handling code now, and my first thought was to log the exception thrown, reload the last consistent UI state, and show some sort of modal popup or other ui element with a brief error message for the user (this is an intranet page, so we're automatically notified of the bug, and the users know where to find us.
I am using the URL Rewriter (Intelligencia.UrlRewriter). I have a page with the name sitename/user/search.aspx and the rewrite is sitename/test/search Now the problem is... When I am on sitename/test/search and I click the search button, I get an error "The resource cannot be found." because when the page posts back to itself, it goes to sitename/test/searchsearch.aspx basically putting the original name in the URL which messes everything up. What should I do? Some pages do it and other pages do not do this problem with me.
I'm trying to add a row grouping row to my data-bound gridview. It works fine on the first response, but at the postback i got the "Failed to load viewstate" error.There is the code for the GridView's RowDataBound event:
Private Sub AddGroupingRow(ByRef eRow As GridViewRow, ByVal Css As String, ByVal ColSpan As Integer, ByVal Txt As String) Dim cell As New TableCell() cell.ColumnSpan = ColSpan cell.CssClass = "Spacing FieldCell" cell.Text = Txt Dim row As New GridViewRow(-1, -1, DataControlRowType.DataRow, DataControlRowState.Normal) row.CssClass = Css row.Cells.Add(cell) [code]...
Working through Steven Sanderson's excellent Pro ASP.Net MVC Framework book.I am trying to reference the TempData collection to display a message after an item has been successfully updated and so have placed a reference to this on my Master Page.[Code]....
This is giving me the following compile time errors:
Error 1 The name 'TempData' does not exist in the current context <programme location>
Error 2 The name 'TempData' does not exist in the current context <programme location>
If I reference TempData on a content page it compiles (and works) fine.
I have an update panel with a number of [asp:AsyncPostBackTrigger...] controls, and everything was working fine. But now, something keeps inserting duplicate AsyncTriggers, and instead of simply being [asp:AsyncPostBackTrigger...] controls they're [System.Web.UI.AsyncPostBackTrigger...] controls, and I get parser errors as a result. So I delete the duplicate triggers, and they get re-inserted within a few minutes, seemingly randomly.
Since last week I've had a really odd issue with PageMethods and the back button which i've never seen before.
Essentially, I have a 'home page' which on document.ready (using jQuery), loads some data through PageMethods, and then renders a list - from which you can click through to a details page about the item. In general use, it works fine. However, using the back button after clicking through (ie: going back to the home page), it throws a PageMethods error. The browser's 'authentication required' prompt appears, and if you click cancel, the server returns a 401. The error returned by PageMethods on the client side is 'authentication failed'.
Just FYI, the application is using ASP.NET forms authentication. The weird thing is, this happens as soon as you click the link and click back. It's not like the authentication cookie has expired or anything, and if you click cancel when the prompt appears and refresh the page, it works fine. I just can't work out what is going on.
I've tried disabling caching on the page [as I thought it was something to down with some browsers' caches of the DOM), but the same thing happens.
One workaround i've had is to redirect the page to itself if the PageMethods error is 'authentication failed', which does work - but only when you cancel the authentication prompt. Obviously the prompt appears, which is not ideal.
I don't understand it, and the user is clearly authenticated. Does anyone have any idea which might be happening?
Since last week I've had a really odd issue with PageMethods and the back button which i've never seen before. Essentially, I have a 'home page' which on document.ready (using Query), loads some data through PageMethods, and then renders a list - from which you can click through to a details page about the item. In general use, it works fine. However, using the back button after clicking through (ie: going back to the home page), it throws a PageMethods error. The browser's 'authentication required' prompt appears, and if you click cancel, the server returns a 404. The error returned by PageMethods on the client side is 'authentication failed'.
Just FYI, the application is using ASP.NET forms authentication. The weird thing is, this happens as soon as you click the link and click back. It's not like the authentication cookie has expired or anything, and if you click cancel when the prompt appears and refresh the page, it works fine. I just can't work out what is going on. I've tried disabling caching on the page [as I thought it was something to down with some browsers' caches of the DOM), but the same thing happens. One workaround i've had is to redirect the page to itself if the PageMethods error is 'authentication failed', which does work - but only when you cancel the authentication prompt. Obviously the prompt appears, which is not ideal. I don't understand it, and the user is clearly authenticated. Does anyone have any idea which might be happening? It's happening in Chrome, Firefox, and IE.
I have created user web control library project and these controls i'm using in my web application. These User controls just works fine in my local machine but when i moved this project(including Library) to our Local server , it is throwing security exception
Error 1 Cannot register assembly "LocalServerLibraryDemoLibraryDemoLibraryinDebugLibrary.dll". Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. Library
This could be very straight forward for some of you, but I got caught up. I am doing very simple test - browsing from IIS Manager to see the default page or "under Construction", however I am being challenged to provide my login credential . When I provide my login credential, I am able to see the default page. I wanted to see the default page without providing my credential since Enable anoymous access + basic authentication I am simply wanted to see the default page asit is working on other servers except this one. I have included screen print to make sure may question is clear.
I set authentication mode to Windows in the web.config and I enable Windows Authentication and disable the Anonymous Authentication in IIS 7 on win 7, but HttpContext.Current.User is always null.It works fine when I host the web app in IIS 6.0.
I have a website where different comapny and users can login. Till now I have not seen any issue on IE 6. But in case of one account, when try to login the website, users are getting security information "This page contains both secure and non-secure items.
I can reproduce the same easily for the same customer but not happening for any other customer. I have "ReportViewer" control (gets rendered as iframes) on the page.
In this scenario, whether user selectes "Yes" or "No" button, the home page with charts loads 30% and other controls remains invisible. Though I see same out in "View source" for this and other customers. We dont change anything much then the data and charts for the users. We use https for this website and has few links with "http" in page. But then this is same for all the users, but it happens only in case of one customer.
I have a web farm web project, and want to make sure windows authentication is working well without any problem in web farm, can any one give me some web sites or information about that?
I needed information regarding the capabilities & integration of AzMan tool with Asp.net.Currently, I got a Sharepoint 2007 website along with ASP.NET 2008 where I am using Form Based Authenication.Now, the requirement is any user within a domain registered in AD should be able to login in website through intranet.
Can I acheive this using AzMan, or I need to create two websites one with FBA for internet users and the other one for the intranet users with AD authenication. Also my intenet website is deployed and in use where usermapping and roles are already created, so using this tool what will be the impact on existing webiste.
I have a web page which is using PasswordRecovery control.Its working fine but I have a scenario in which I have to disable Viewstate for the whole application.Now after disabling viewstate when I visit the webpage I have noticed that PasswordRecovery controls is not working (Every times when I submit the default button to go to step 2, the postback occur but not moving to step 2).
I have developed the authenticated rss feed using the basic http authentication for my site.I also have the admin module for the site which uses the Asp.net Forms Authentication .Both are in the same project.When i turn on the forms authentication module to None in my web.config.My rss feed authentication works fine(the browser pop up the dialog box for the username and password) and upon entering the username and password the rss feed gets displayed.But with forms authentication turn on when i click the rss feed link i am getting redirected to the administrator login page.
If i set my authentication mode to none than the feed works like dream but the admin module do not work as it uses forms authentication.
How can i resolve the conflict for that one.I am using the asp.net mvc filter on my feed contoller to pop up the dialog box for the username and password.
I'm developing an internal booking sytem. Users log in to the sytem and can view existing bookings and search for bookings. They can also create new or edit existing bookings. When completing such actions I need a confirmation prior to completing the booking or updating the recorded. The confirmation is based on a reauthentication of the user.... in otherwords he needs to enter his passord again.
How can I achieve this? The system is internam and I'm using Forms Authentication. I an also using roles as som of the admin forms can only be viewed by administrators.
I am currently using Server.CreateObject("MSXML2.ServerXMLHTTP.3.0") to get information via XML. The App was built connecting from Point A to Point B, with A & B being 2 servers in different locations. Through a cloud, we setup both locations on the same server with different hostheaders... Since this happened, we are getting an "invalid cert." error when we try and make the XML connection. I changed to code to invoke SXH_OPTION_IGNORE_SERVER_SSL_CERT_ERROR_FLAGS, but it was recently brought to my attention that this could in fact be invalidating the SSL, and the connection is no longer secure. Does anyone know if thats the case?
If so, is there typically a problem with 1 server establishing an SSL connection between itself? The certificate has remained the same (a wildcard cert. enabling *.mysite.com) just the physical location of the servers is what moved (And technically the version of IIS was upped to 7).
I thought I had this working, but right now I'm confused. When I try to cause an error by re-using an email, it gives me the success message, even though nothing is added.
I need to get the free Google charts working over SSL without any security errors. I am using c# and asp.net.As Google charts does not support SSL by default, I am looking for a robust method of using there charts but ensuring my user doesn't get any security warnings over their browser.ne thought was to use a handler to call the charts api and then generate the output my site needs.Similar to Pants are optional blog post. I haven't been able to get this example working at this stage.
I am trying to setup a notification bar that shows errors when trying to login. I am using MySql as a backend.
Here is the aspx:
[Code]....
Here is the code behind:
[Code]....
I am not sure if I am over thinking what I am trying to do or what. I was able to get it to show the notification bar but it wouldn't show correctly and then somehow it wouldn't let me login.
The above code is what I came up with after reading some articles, which doesn't work. When stepping through the code, I get an "Input string was not in the correct format" error. I think the reason I get that error is because the password format is "Encrypted".
Either way I try it I can't get the bar to show up with the error, or actually login (I am sure I can remove everything that I 'tried' and it would work.