Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

EnableEventValidation="false" - A Good Idea? [duplicate]

Tags:

c#

asp.net

Possible Duplicate:
purpose for <pages enableEventValidation=“false”>

I have another related question without an answer as yet: my stackoverflow question

However, my problem goes away if I set EnableEventValidation="false".

Now my question is does it make a really big deal if I set this on a MasterPage?

In all the references to setting this to false, no one brings up the security issue other than MSDN.

Any suggestions?

like image 279
ComfortablyNumb Avatar asked Feb 01 '12 23:02

ComfortablyNumb

1 Answers

Removing event validation decreases the number of security checkpoints within the application. The question is, does it matter?

A simple example where it matters

A user is given 2 options because they are a "Silver" member on a site. They craft a request that actually submits option #3 and are granted a "Gold" privilege that they didn't pay for.

An example where it probably doesn't matter

A user can crafts a request that asserts they live in a country that wasn't in a dropdown list on your page. You are running a transactional, relational database which catches this with a foreign key constraint. The user receives an error and no data is persisted or corrupted.

Am I suggesting to let your database perform validation? certainly not. But in this example, no harm is done.

When in doubt, assume that it does matter and that someone will find a way to break your code.

The Ideal Approach

First, identify why event validation is breaking. In my experience it's usually due to a misuse of page/control design. In 15+ years of .NET development, I have only once seen event validation break the design of a control. That control was so complex it ultimately had to be rewritten. In other words, if event validation causes a problem for your control, you should probably rethink the control's design, not disable event validation.

And finally:

Identify and validate your critical business rules server-side and independently from ASP.NET. Don't rely on a framework to do your job; it's too easy to assume that security is "handled" and leave a gaping hole in your design.

like image 157
Tim M. Avatar answered Sep 19 '22 08:09

Tim M.
Sign in to Comment

Related questions

how to display an image without a window in C#
Why is ThreadStatic data being unexpectedly shared between threads?
ASP.net How to output cache a webusercontrol on controls public properties
What's the correct data type I should use in this case?
Run elevated process
Sound synthesis with C#
c# show only Time portion of DateTime
Java equivalent to C# TextBox TextChanged event
Disable checking of overflow with Array.Sum
How can I access System.Windows.Forms.Design.ParentControlDesigner?
c# file move and overwrite [duplicate]
Problems with using Thread.Sleep for short times
Setup Mock to return the same object, which I send to it?
Continue Task after all tasks finish
How do I make this class an IEnumerable?
How to check if a value in a List exist (before get out of range)
what is UPX's best compression method [closed]
Stack overflow exception—why?
is it smart to use GC.Collect on application that runs 24h per day?
byte[] and efficiently passing by reference

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!