设置ViewStateUserKey会给我一个“viewstate MAC failed的validation”错误

好的 – 我的谈话迟了一年 – 但这是正确的答案？ 这仅适用于经过身份validation的用户并使用ViewStateUserKey因为用户名比会话ID GUID更容易猜测。

顺便说一下，如果你想要“修复”最上面的代码，请使用会话ID，但是你必须设置一个会话变量，以便会话ID停止每次更改。 防爆。 Session["Anything"] = DateTime.Now

 ViewStateUserKey = Session.SessionID; 

这当然是假设您要使用会话，否则您需要使用其他密钥，例如用户名或cookie中保存的任何其他guid。

我已经搜索了很多，以找到问题的最终原因。 微软的这篇文章真的有助于解释所有不同的原因。 http://support.microsoft.com/kb/2915218原因4是我们登陆的无效ViewStateUserKeyValue

将ViewStateUserKey设置为Session.SessionID或User.Identity.Name对我们不起作用。

由于以下原因，我们间歇性地得到了validation错误。 当IIS重置应用程序池时，会话将更新，从而导致错误。 我们在登录时删除会话以避免会话固定，也导致登录时出错。

最终为我们工作的是基于cookie的解决方案，现在在VS2012中提供。

 public partial class SiteMaster : MasterPage { private const string AntiXsrfTokenKey = "__AntiXsrfToken"; private const string AntiXsrfUserNameKey = "__AntiXsrfUserName"; private string _antiXsrfTokenValue; protected void Page_Init(object sender, EventArgs e) { //First, check for the existence of the Anti-XSS cookie var requestCookie = Request.Cookies[AntiXsrfTokenKey]; Guid requestCookieGuidValue; //If the CSRF cookie is found, parse the token from the cookie. //Then, set the global page variable and view state user //key. The global variable will be used to validate that it matches in the view state form field in the Page.PreLoad //method. if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue)) { //Set the global token variable so the cookie value can be //validated against the value in the view state form field in //the Page.PreLoad method. _antiXsrfTokenValue = requestCookie.Value; //Set the view state user key, which will be validated by the //framework during each request Page.ViewStateUserKey = _antiXsrfTokenValue; } //If the CSRF cookie is not found, then this is a new session. else { //Generate a new Anti-XSRF token _antiXsrfTokenValue = Guid.NewGuid().ToString("N"); //Set the view state user key, which will be validated by the //framework during each request Page.ViewStateUserKey = _antiXsrfTokenValue; //Create the non-persistent CSRF cookie var responseCookie = new HttpCookie(AntiXsrfTokenKey) { //Set the HttpOnly property to prevent the cookie from //being accessed by client side script HttpOnly = true, //Add the Anti-XSRF token to the cookie value Value = _antiXsrfTokenValue }; //If we are using SSL, the cookie should be set to secure to //prevent it from being sent over HTTP connections if (FormsAuthentication.RequireSSL && Request.IsSecureConnection) responseCookie.Secure = true; //Add the CSRF cookie to the response Response.Cookies.Set(responseCookie); } Page.PreLoad += master_Page_PreLoad; } protected void master_Page_PreLoad(object sender, EventArgs e) { //During the initial page load, add the Anti-XSRF token and user //name to the ViewState if (!IsPostBack) { //Set Anti-XSRF token ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey; //If a user name is assigned, set the user name ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty; } //During all subsequent post backs to the page, the token value from //the cookie should be validated against the token in the view state //form field. Additionally user name should be compared to the //authenticated users name else { //Validate the Anti-XSRF token if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty)) { throw new InvalidOperationException("Validation of Anti-XSRF token failed."); } } } } 

资源

我现在通过将代码更改为：

 protected override void OnInit(EventArgs e) { base.OnInit(e); if (User.Identity.IsAuthenticated) ViewStateUserKey = User.Identity.Name; } 

你能用EnableViewStateMac @Page属性关闭ViewState MAC编码吗？

非常奇怪，我也有类似的问题3天，现在我解决了。 1.我启用了表单身份validation，并且ssl为false

2. 但在我的httpcookies标签中，我有requireSSL = true。 因为在Site.Master.cs中它使用cookie来设置ViewStateUserKey，所以它有问题

3. 因此我得到了错误。

4. 我将其修改为false并重新启动了web应用程序，现在一切都很好。