Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Disabling ASP.NET EventValidation

We're tired of getting exceptions regarding "Invalid postback or callback argument" in our web app. What scenario(s) causes this error?

After talking to users, we've determined that one possible cause of this is when they click something that causes a postback, and then click something else before the initial postback completes.

What is the harm in disabling event validation? For what it's worth, we have SecureIIS installed for increased security.

UPDATE: In some places, we use Javascript to modify certain controls values, such as a drop-down list options (we do this to make a better user experience - less postbacks). This is likely causing the error. We have strict edits in place for all user input, so we are going to proceed with disabling EventValidation. Thank you!

like image 248
Josh Stodola Avatar asked Mar 02 '23 00:03

Josh Stodola


1 Answers

Event Validation verifies that the values have not been tampered with manually, e.g. outside the scope permitted by the controls involved. For example, if you have a drop-down list with three choices 1, 2, or 3... if the user (or malicious middleman) changes the value to 4, validation will fail.

As long as you are doing your own checking in each handler to ensure incoming values are valid, and your code is structured in such a way that unexpected input will cause nothing to happen (safest), you will be fine with validation turned off.

like image 157
Rex M Avatar answered Mar 05 '23 18:03

Rex M