Pages

Wednesday, November 4, 2009

Weird Error : Unable to Validate Data in ASP.NET website

Have you ever come across a situation where your website which was working for last couple of months gives a weird error "Unable to Validate Data". Yesterday, while working I found that my website which is already published in IIS throws this error. Initially I thought the error might be with my code, but I found that everything is good with the code. So I looked forward to internet and found that this error comes when the viewstate of a page cannot be decrypted when the response received from the client.

When I look where the error is occurring(Target Site) I found:

Unable to validate data at
System.Web.Configuration.MachineKey.GetDecodedData(Byte[] buf, Byte[] modifier,
Int32 start, Int32 length, Int32& dataLength) at
System.Web.UI.LosFormatter.Deserialize(String input)

Actually the problem is with the viewstate. The viewstate is actually decrypted in the server using a secret Machine key which resides on the server. The interesting thing is the key gets regenerated after a certain time. Therefore when the user returns the viewstate, if the machine identified key is changed, the decryption of viewstate fails and thus throws this nasty error.

Solution

The solution is simple. First of all, to solve the issue, I disabled the ViewState for the current page by putting EnableViewState = false. Even I have disabled this for the entire viewstate for the website using Web.config. But still the error.
Finally I have used "EnableViewStateMac =false" in pages section. Voila, this cures the problem.
<pages buffer="true" enableViewStateMac="flase"/>
</pages>
Just place the following between the system.web section and the site starts working.

Another solution that you might use as well is to place the machine key directly on your web.config, so that it always decrypts and encrypts using the static key values. To do this you need to use the following :

<machinekey validationkey="22E995276703B846C4AD0881EE3159FFCB376CD48B27F64
9A074815C83D5C925038938F6943555687582CBC186DB22E552FCDB4D46
124BAADEE85A857CC135BC" decryptionkey="60588EB661A6483348C20F92659775872CB06427AF20733C" validation="SHA1"></machinekey>

You might use this site to Generate your validation key as well.
To get the deep knowledge on what makes this happen, I found some insight from Internet and reading some articles of msdn. Let us talk a little on that note.
Say you made a request for a page in the server. After you place the request the server processes it, encrypts the viewstate that the server receives using the encryption mentioned. Basically it uses the key mentioned in the Machine.config to encrypt the viewstate data. Finally it converts to Base64 and embed into some hidden fields.

We can mention the machine key in Web.config too so that it uses it for the current website. You might use AutoGenerate option too to enable/disable autogeneration of key during the runtime.

Your comments are welcome.