Last post Dec 19, 2014 02:02 PM by ddraper
Dec 18, 2014 10:10 AM|ddraper|LINK
Beginning in a recent OS Patch, you can no longer disable the ViewState MAC check. Microsoft says this is because using this is a security risk and they know better than you. While that may be true, there are many cases where application may not be able
to avoid a ViewStateMAC error. And so Microsoft's decision to FORCE you to use it can adversely affect your application. One example is an application that dynamically adds fields to a form based on database settings. An administrator decides to remove a field
from a form while a user has the form open in a browser. The field is removed and then the user submits his form to the server. The application attempts to rebuild the form but now with one less field and guess what happens! The user is rewarded with a ViewState
error. I have a client where this is now occurring after the server OS was patched.
I personally do not appreciate Microsoft forcing us to use security feature...it simply should be our choice. Regardless if you agree or disagree, it has left many of us with broken applications. Does anyone know if we can at least suppress the application
error from getting generated so that the user does not see an error condition?
Thanks in Advance.
Dec 19, 2014 02:19 AM|Michelle Ge - MSFT|LINK
According to your description, I think you need to make some custom checking for your application, also you can try to use __VIEWSTATE form field.
There is a blog about this, please refer to the link below:
Hope it's useful for you.
Dec 19, 2014 02:02 PM|ddraper|LINK
Thanks Michelle. Yes we can detect a ViewStateMAC error but the page fails none-the-less. So the underlying problem is that we have to identify what is causing the ViewStateMAC errors and has proved to be an impossible task so far. We have researched thousands
of pages and tried every suggestion. We are now trying to rewrite the pages to use not VIEWSTATE at all which completely defeats the purpose of this great feature. The web is littered with bazillions of users fighting this error. My client had to resort to
using enableViewStateMAC=false and now that is no longer an option. Since we did not see the bulletin about this change and my client has production servers with pages crashing, have tried everything MS suggest to fix these and have no tools to identify the
cause. This could bring down their small business.
My point was that you can perform completely valid coding that can cause ViewStateMAC checksums to change while a ViewStateMAC change could be a security attack, 99.9% of the time it is not. But MS decides it so dangerous that it must match every time. Of
all the problems, ASP.NET security, MS had to choose this one to shove down our throats?