It allows a malicious user to hijack the request-response behavior and split in their own headers or alter the data and other unwanted bits.
∞ Andy Badera ∞ +1 518-641-1280 ∞ This email is: [ ] bloggable [x] ask first [ ] private ∞ Google me: http://www.google.com/search?q=andrew%20badera On Wed, Sep 16, 2009 at 12:05 PM, Ana <[email protected]> wrote: > > Why disable would be a security issue? > > On Sep 15, 3:23 pm, "Juan M. Oviedo" <[email protected]> wrote: >> Disable??? That would be a security issue! >> >> Juan M. Oviedo >> >> Date: Mon, 14 Sep 2009 20:41:59 +0200 >> Subject: [DotNetDevelopment] Re: "Failed to load view state" >> From: [email protected] >> To: [email protected] >> >> Well, it looks like that is the problem...Try not to hide it, but to disable >> it :) >> >> 2009/9/14 Ana <[email protected]> >> >> I came back to the page I was working before to see if I find what is >> >> firing this error message. I just realized that, even though I'm not >> >> creating controls dynamically, I'm showing/hiding controls dynamically >> >> in the FormView. For instance, some fields can only be updated if the >> >> user is the administrator; when the user is not the administrator, >> >> what I'm doing is hide the control (usually a TextBox). Can this be >> >> the reason why I'm having the error message? >> >> Thanks, >> >> Ana >> >> On Sep 14, 9:48 am, Ana <[email protected]> wrote: >> >> > Hi, >> >> > Apparently what was happening was that in the EditItemTemplate the >> > formView had a Label, but in the InsertItemTemplate and ItemTemplate >> > this Label was not there. I removed the Label from the >> > EditItemTemplate and the error message is not being fired anymore. Can >> > anyone give me more details about this? >> >> > Thanks, >> >> > Ana >> >> > On Sep 14, 9:32 am, Ana <[email protected]> wrote: >> >> > > This problem is really driving me nuts! I'm working in a diferent page >> > > now, and am having the same problem (always associated with a >> > > formview). In the page I'm working now, the problem happened when I >> > > updated a record. I updated a record in the FormView, the GridView was >> > > bound correctly, but when I tried to update another record the "fail >> > > to load view state" error was fired again. >> > > I'm not creating any controls dinamically. I can't understand what is >> > > happening at all! >> > > I don't think that make EnableEventValidation="false" is the better >> > > way to solve this problem. As you said, Raghupathi, "we are giving a >> > > way to hacker to intrude by disabling the event validation". >> > > Anyone here already had this problem and can help me with this? I >> > > appreciate all help! >> >> > > Thanks, >> >> > > Ana >> >> > > On Sep 9, 11:55 pm, Raghupathi Kamuni <[email protected]> wrote: >> >> > > > To solve this problem, >> >> > > > <pages enableEventValidation="false"/> in Web.Config or, >> > > > <%@ Page EnableEventValidation="false" %> in a page attribute >> >> > > > By doing this, we are giving a way to hacker to intrude by disabling >> > > > the >> > > > event validation. >> >> > > > This can be prevented by use of RegisterForEventValidation methods of >> > > > ClientScriptManager class >> >> > > > We need to register the server control ID with the all the possible >> > > > values >> > > > that can be posted by JavaScript by that control in Render Event of >> > > > the page >> > > > using >> >> > > > ClientScript.RegisterForEventValidation() >> >> > > > Check out this for the relavant >> > > > articlehttp://www.codedigest.com/Articles/ASPNET/221_Using_JavaScript_Effect... >> >> > > > On Wed, Sep 9, 2009 at 11:24 PM, Raghupathi Kamuni >> > > > <[email protected]>wrote: >> >> > > > > ViewState and Dynamic Control >> > > > >http://geekswithblogs.net/FrostRed/archive/2007/02/17/106547.aspx >> >> > > > >http://weblogs.asp.net/alessandro/archive/2008/01/04/failed-to-load-v... >> >> > > > > On Wed, Sep 9, 2009 at 11:01 PM, Ana <[email protected]> >> > > > > wrote: >> >> > > > >> Hi, >> >> > > > >> In my page I have a Gridview and a FormView. For each row in the >> > > > >> GridView, there's a linkButton *Details* that shows the FormView >> > > > >> with >> > > > >> the information about the selected record in the GridView. >> > > > >> In the FormView, users are able to edit and delete records. However, >> > > > >> every time I cancel the editing of a record and try to see the >> > > > >> formview for this record (clicking in *Details* on the GridView), I >> > > > >> have the following error message: >> >> > > > >> -- >> > > > >> Failed to load viewstate. The control tree into which viewstate is >> > > > >> being loaded must match the control tree that was used to save >> > > > >> viewstate during the previous request. For example, when adding >> > > > >> controls dynamically, the controls added during a post-back must >> > > > >> match >> > > > >> the type and position of the controls added during the initial >> > > > >> request. >> > > > >> -- >> >> > > > >> What is happening here? Why this error message in being fired? >> >> > > > >> Thanks in advance, >> >> > > > >> Ana >
