|
Member
|
Steve-Appetere
-
7/24/2009 5:50:42 AM
"Unable to validate data" exceptions
Hello When I check the Kentico event log for my website, I am finding a recurring "Unable to validate data" exception on a daily basis, mostly for one particular page: http://www.appetere.com/Blogs/SteveM/March_2009/Appetere_registered_as_Kentico_Partner.aspxWhenever I view the page myself, it displays normally, so I cannot tell whether people browsing this page are redirected to the error page, or if Kentico just silently logs the exception in the background. The exception details are as follows: DocumentName: Appetere registered as a Kentico Partner
EventDescription: EXCEPTION MESSAGE: Unable to validate data.; STACK TRACE: at System.Web.Configuration.MachineKeySection.GetDecodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Int32& dataLength) at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString)
Site: Appetere
EventUrl: http://www.appetere.com/CMSTemplates/Appetere/Blog.aspx?aliaspath=/Blogs/SteveM/March_2009/Appetere_registered_as_Kentico_Partner
The same page also occasionally reports the different exception below. (This second error can apparently be caused by a postback being initiated before the page has fully loaded (& thus the page is missing the viewstate MAC which is at the end of the page?) in ASP.NET V3.5 (without SP1). However, there is nothing on the page which can cause a postback, apart from the comments box button & I'm pretty sure a user couldn't be quick enough to fill this in before the page had loaded.) So it may be a different reason, related to the other exception, above. DocumentName: Appetere registered as a Kentico Partner
EventDescription: EXCEPTION MESSAGE: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.; STACK TRACE: at System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) at System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) at System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState) at System.Web.UI.HiddenFieldPageStatePersister.Load() at System.Web.UI.Page.LoadPageStateFromPersistenceMedium() at System.Web.UI.Page.LoadAllState() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.cmstemplates_appetere_blog_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Site: Appetere
EventUrl: http://www.appetere.com/CMSTemplates/Appetere/Blog.aspx?aliaspath=/Blogs/SteveM/March_2009/Appetere_registered_as_Kentico_Partner
Can anyone suggest what may be causing these exceptions & how to fix them? Thanks, Steve
|
|
|
Kentico Consulting
|
kentico_borisp
-
7/24/2009 5:58:26 AM
RE:"Unable to validate data" exceptions
Hi, Could you please try to add following code into <appSettings> section in your web.config file and check the behavior now: <add key="CMSUseViewStateUserKey" value="false"/> You can find more info about this property here: http://msdn.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspxMoreover, this issue seems to be related to full-page caching. If you are using it, could you please try to turn it off? It could help. Best Regards, Boris Pocatko
|
|
|
Member
|
Steve-Appetere
-
7/24/2009 11:21:04 AM
RE:"Unable to validate data" exceptions
Thanks Boris.
Having looked into your suggestions, I would have thought that you would only need to either change the key or the caching?
If the problem stems from the fact that a unique key is set to identify the user's ViewState when the page is generated, then if you don't cache the page the same key won't be sent to another user who should not have it. Or if you don't set the key in the first place, you should be fine caching?
Interesting point is that on a low-traffic website you could run for ages without realising this is a problem, if two users never happened to postback the same page within the period the cache was alive for.
Anyhow, I have tried disabling the key & left the cache on, and will see what happens over the next few days.
For the other point ("Validation of viewstate MAC failed") I think this could be caused by the ASP.NET application changing the "validationkey" in the <machineKey> section of web.config when the application pool is restarted by my hosting company. And hence, if a user posts back a page after the restart, they will receive the error.
To try and fix this, I've specified my own keys in the <machineKey> element, so they will not change from now on.
Steve
|
|
|
Kentico Support
|
kentico_jurajo
-
7/29/2009 6:28:46 AM
RE:"Unable to validate data" exceptions
Hi, regarding the view state validation. HAve you seen this article? Moreover, this issue seems to be related to full-page caching. If you are using it, could you please try to turn it off? It could help. Best Regards, Juraj Ondrus
|
|
|
Member
|
Steve-Appetere
-
7/29/2009 8:11:05 AM
RE:"Unable to validate data" exceptions
Hi Juraj, I just checked & found I'd never turned full page caching on for my site. (Just to be sure, in CMS Desk -> Content -> Root document -> Properties -> General -> Cache, the radio button was set to "No". All other pages were set to "Inherit"). I'm still getting the "Unable to validate data" exception about twice a day - almost always for the same page: http://www.appetere.com/Blogs/SteveM/March_2009/Appetere_registered_as_Kentico_Partner.aspxI did also set <add key="CMSUseViewStateUserKey" value="false"/> on the 24th July, so it is not due to this either. When I do a "WhoIs" lookup on the IP addresses of the people viewing the page, they seem just to be random people, rather than search engine bots. The page itself is pretty much a direct copy of the Corporate Site ASPX blogs page, just slightly simplified & the layout changed. There must be some significance to why this particular page causes the problem. It is quite commonly the first page that users view in the site, but other blog articles are almost as popular as a first page viewed (presumably from search engine referrals), and these don't cause the same exception. My hosting company are adding Service Pack 1 to ASP.NET 3.5 in a few weeks, and one article I read suggested this may help, but the reason didn't seem quite to match my problem. Any further ideas on what I can try next? ------------------------------ One piece of good news on exception fixing - I've not had the "Validation of viewstate MAC failed" exception again since adding my own <machineKey> element to web.config. So this at least seems to have worked. Steve
|
|
|
Kentico Support
|
kentico_jurajo
-
7/30/2009 2:24:48 AM
RE:"Unable to validate data" exceptions
Hi, I have made some google search and I have found this forum post. But maybe you have alredy found this as well. If yes, please let me know and I will try to find another post or article. Best Regards, Juraj Ondrus
|
|
|
Member
|
Steve-Appetere
-
7/30/2009 8:22:08 AM
RE:"Unable to validate data" exceptions
Hi Juraj, I pulled an example of when the exception occurs from my website logs. The most striking thing is that the two requests are only one second apart. The next thing is that the second request is a POST request. The only way that a POST can be generated on that page is either to complete the "Comments" form (impossible manually in <1 second) or to click the "Login" menu item, which uses the ASP.NET LoginStatus control with a postback. Also, when someone requests the blog entry, there are several other requests (the Kentico logo amongst them) which have to be fulfilled. But in this instance none of the requests appear in the website log. 2009-07-24 11:22:16 212.235.107.156 - W3SVC633 WIN9 213.143.20.35 80 GET /Blogs/SteveM/March_2009/Appetere_registered_as_Kentico_Partner.aspx - 200 0 29311 343 1844 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+ru)+Opera+8.01 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+ru)+Opera+8.01 http://www.appetere.com/Blogs/SteveM/March_2009/Appetere_registered_as_Kentico_Partner.aspx
2009-07-24 11:22:17 212.235.107.156 - W3SVC633 WIN9 213.143.20.35 80 POST /Blogs/SteveM/March_2009/Appetere_registered_as_Kentico_Partner.aspx - 500 0 9722 2639 218 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.1;+ru)+Opera+8.01 CMSPreferredCulture=en-GB;+ASP.NET_SessionId=zz0r5z45pwl3ikqaez5i1jyn;+CurrentVisitStatus=1;+ViewMode=0 http://www.appetere.com/Blogs/SteveM/March_2009/Appetere_registered_as_Kentico_Partner.aspx
This pattern of two rapid requests, GET then POST, repeats each time the exception is recorded. So although it is possible that a genuine user is trying to view the page, getting an error and giving up, it looks more like some sort of automated process probing the site. If this is the case, then the error is potentially explained in this msdn blog entry where rapidly posting back before the page is fully loaded will cause an exception. This in turn should be resolved by ASP.NET 3.5 with Service Pack 1 (the article says). My ISP is adding the Service Pack in a few weeks, so I will see then what happens. In the meantime, I plan to ignore any further exceptions of this type! Steve
|
|
|
Member
|
Steve-Appetere
-
7/30/2009 1:46:55 PM
RE:"Unable to validate data" exceptions
To bring everything together from this thread, I've written a blog post about ViewState - as understanding & configuring it correctly, or not, seems to have been at the root of the exceptions I have been experiencing. http://www.appetere.com/Blogs/SteveM/July_2009/Working_with_ViewState.aspx
|
|
|
Kentico Support
|
kentico_jurajo
-
8/3/2009 6:22:11 AM
RE:"Unable to validate data" exceptions
Hi,
Thank you for the blog post. It is very helpful - we appreciate your help.
Best Regards, Juraj Ondrus
|
|
|
Member
|
drewr-bpstudios
-
3/24/2010 2:41:02 PM
RE:"Unable to validate data" exceptions
Steve, Juraj, I'm not clear what Steve did to fix this issue: Was it: a) setting CMSUseViewStateUserKey to false in web.config <add key="CMSUseViewStateUserKey" value="false"/> b) removing page caching? c) applying the service pack His blog post is informative, but I'm not sure what step he did to resolve the "Unable to validate data" problem. Please email patrickd@bpstudios.com when you respond. Regards, Patrick
|
|
|
Member
|
smoss@appetere.com
-
3/25/2010 8:31:05 AM
RE:"Unable to validate data" exceptions
Hi Patrick "Unable to validate data" can only occur during postbacks and only if there is something to validate. If you have set: <add key="CMSUseViewStateUserKey" value="false"/>, the ViewState should not have a Message Authentication Code appended to it. So no validation of the MAC will be attempted. It might be worth adding enableViewStateMac = "false" in web.config as well, as I don't know exactly what the Kentico setting does. If viewStateEncryptionMode = "Auto", then the ViewState will not normally be encrypted (unless certain controls not normally used with Kentico are on the page), so again there is no decrytion operation to fail (although I'm not sure this would generate the same error message). So if these two conditions are met, then it shouldn't matter what else you do (caching, etc), as there is no validation operation that can fail. However, for myself, I prefer to allow Kentico to add a MAC to the ViewState. So then, you have to be sure that each user receives a page with a MAC unique to them. As such, I don't use full page caching, which could send the same page to two or more visitors. Having said all that, I still get "Unable to validate data" about once a month on my web site www.appetere.com. I can't adequately explain these, but think it may be something like a search engine with a cached copy making the POST request. So the MAC is probably no longer valid and causes the exception. By looking at the raw logs of my web site, I've also seen some very odd series of requests before these exceptions occur - so ASP.NET may just be mounting a successful defence against someone trying an attack, which after all, is what the check is there for.. Hope this helps. Steve
|
|
|