Hello, 

I'm experiencing an issue with DNN 7.2.2.

Steps to reproduce:

1. Open the DNN site in a browser without being authenticated (let's call this window "A")
2. Now locate any link that brings you to a different page within the same site but open it on a new window (right click, Open in a new window, etc). Now you have two browser windows with the same session, let's call the last one  "window B"
3. In window B authenticate yourself using the standard DNN control.
4. Now, on window A press any button that makes a postback (HTTP Post). Please note if you make a GET request it will work, it has to be a post.
5. You should see a 500 Internal server error (error in log refers to Invalid Viewstate, please see full error at the bottom of this post)

This issue was solved in the past disabling "view state mac validation" but latest asp .net changes pushed by Windows Update had forbidden this and make the validation mandatory.

http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.aspx

https://technet.microsoft.com/library/security/2905247

So, the question is how to solve the above issue? I tried to implement tips and advices on how to resolve this without any luck.

• I'm using IIS 7.5
• I'm not in a web farm
• I've tried pretty much everything advised here: http://support2.microsoft.com/kb/2915218
  • Setting LoadUserProfile = true for the AppPool
  • Setting machineKey in web.config file
  • etc

You could ask what kind of valid scenario would involve authenticating in a separate browser window. Well, my scenario is different: I have a component with some buttons, if the user is not authenticated when pressing the button a SignIn popup is displayed with usual login component. After successful authentication the popup is closed and the same button is pressed again through javascript (I call __doPostBack, etc). The problem here is that the popup is a Telerik RadWindow that basically creates a window-like div with an IFrame and the IFrame loads the sign in component. Technically speaking that IFrame is pretty much the same as having a second page.

The above example having 2 opened pages is just the minimal and most straight forward way I've found of describing the problem.

 

Any ideas?

 

Thanks in advance for your help

 

In the logs:

2014-10-06 17:26:13,371 [SITE][Thread:43][ERROR] DotNetNuke.Services.Exceptions.Exceptions - DotNetNuke.Services.Exceptions.PageLoadException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

See http://go.microsoft.com/fwlink/?LinkID=314055 for more information. ---> System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

See http://go.microsoft.com/fwlink/?LinkID=314055 for more information. ---> System.Web.UI.ViewStateException: Invalid viewstate. 

Client IP: 192.168.2.192

Port: 5724

Referer: http://www.site.com/TestPage.aspx

Path: /Default.aspx

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.124 Safari/537.36

ViewState: /wEPDw etc ...

   --- End of inner exception stack trace ---

   at System.Web.UI.ViewStateException.ThrowMacValidati (Exception inner, String persistedState)

   at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString, Purpose purpose)

   at System.Web.UI.Util.DeserializeWithAssert(IStateFormatter2 formatter, String serializedState, Purpose purpose)

   at System.Web.UI.HiddenFieldPageStatePersister.Load()

   at System.Web.UI.Page.LoadPageStateFromPersistenceMedium()

   at System.Web.UI.Page.LoadAllState()

   at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

   --- End of inner exception stack trace ---

 

 

 

what you're describing is behaviour by design - when a user is validated a value called viewstateuserkey is set so that asp.net can validate if a page postback comes from the same user who initially loaded a page -this is a necessary security measure to ensure that cross-site request forgery does not occur. Without this, I could post data from one site to another, or log in as one user but alter the post to post data from another user. Whilst you could edit out the relevant code from DNN, I would not recommend trying to work around this as you open yourself up to potential security issues.

---

Buy the new Professional DNN7: Open Source .NET CMS Platform book Amazon US

Thanks for your responses.

Cathal, I understand DNN implements an additional security measure besides the viewstate mac validation (like http://stackoverflow.com/questions/5728106/how-to-detect-viewstate-is-tamper-or-not-programatically). This is why my feature is working in every non-DNN environment out there.

If that's the case I'll try to change how my component works, perhaps enforcing a GET before doing a POST over the original button. Any advices would be appreciated.

Thanks for all your help