Event Validation in ASP.NET

SurajRane
Posted by in ASP.NET category on for Beginner level | Views : 24277 red flag
Rating: 4 out of 5  
 3 vote(s)

Writing here to describe what is event validation in Asp.Net. Once during development I got below error when I was trying do post back using selected index Change event of a DropDown and I know you might have somewhere got this during development.

Event Validation In Aps.Net


You might have come across below errors.

Invalid postback or callback argument. Event validation is enabled using <pages enableeventvalidation="true" /> in configuration or <%@ page enableeventvalidation="true" %> in a page. For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.”

I solved this by setting EnableEventValidation to false in page directive. But I was not knowing the reason why I anyone need to set this to false and what it means.

Event validation is the new feature introduced in Asp.Net. It checks for valid postbacks and there by disallowing any script injection attacks and bad post backs (done by malicious users).

To discuss let’s consider an example. I have a page page1.aspx which has following code on it.


Page1.aspx

<head runat="server">

    <title></title>

</head>

<body>

    <form id="form1" runat="server">

    <div>

       <asp:DropDownList ID="ddlSelectBx" runat="server" AutoPostBack="true">

            <asp:ListItem Text="ONE" Value="1"></asp:ListItem>

            <asp:ListItem Text="TWO" Value="2"></asp:ListItem>

            <asp:ListItem Text="THREE" Value="3"></asp:ListItem>

        </asp:DropDownList>

    </div>

    </form>

</body>

</html>

When this page is rendered at client side you will find a hidden field like below in in source file. (view source for the page)

<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBALbnPeuAgKAqqrDAwKBqqrDAwKCqqrDA3LEZxdcKsmICYqDpLuBczv09L7Y" />

This hidden field value maintains all possible postbacks which dropdown list may cause with rendered values. It does this by hashing controls unique id with index of listitems of dropdowns. It means postbacks which might be caused by values ONE,TWO or THREE are already known to the runtime. When such postback happens, runtime checks to see whether this postback is valid using de-serialized value of __EVENTVALIDATION  hidden field.


Now say you have added  4th listitem to dropdown at clientside using some javascript code say

 <asp:ListItem Text="FOUR" Value="4"></asp:ListItem>

In this case runtime do not know the new item added because it is not rendered from server but added at client side. Postback caused by such item is not registered and not added in __EVENTVALIDATION hidden field.

When such item raises any event Event validation fails and we get the error mentioned above.

This can be solved by ClientScript.RegisterForEventValidation  method. Write it in Page Render method.

You can tern on/off Event validation in page directive using attribute EnableEventValidation

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Page1.aspx.cs"

Inherits="WebApplication1.Page1" EnableEventValidation="true" %>

When EnableEventValidation is false __EVENTVALIDATION hidden field will not be rendered.

:)





Page copy protected against web site content infringement by Copyscape

About the Author

SurajRane
Full Name: Suraj Rane
Member Level: Starter
Member Status: Member
Member Since: 10/8/2009 10:53:40 PM
Country: India

http://www.dotnetfunda.com
System Analyst Suraj Bhaskar Rane

Login to vote for this post.

Comments or Responses

Login to post response

Comment using Facebook(Author doesn't get notification)