locked
ViewState error on Logout page after clearing out session cookies and then clicking button RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-173333858 posted

    Hi,

    My application has a Logout page, which tells the user 'You have been logged out". So, on Page_load, I clear out all the session variables cookies. But this page also has a 'LOGIN AGAIN' button. When I click this, it gives me 'invalid Viewstate' error'. If I comment out the cookie  and session variable clearing in Page_Load, the error does not occur.  How can I ignore the change in the ViewState, so it actually redirects to the Home page when button is clicked, still clearing out session and cookies. Attaching my code.

    -Rashmi

    public partial class Admin_Logout : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            try
            {
                if (Request.QueryString["Error"] != null)
                {
                    if (Request.QueryString["Error"].ToString().ToUpper() == "YES")
                    {
                        lbllogout.Text = "Please contact administrator.";
                        //creates a log file or appends to existing log file and writes the error output to the file                
                    }
                }
                if (Request.QueryString["ErrorValue"] != null)
                {
                    lbllogout.Text = "Please contact administrator.\n";
                    lbllogouttxt.Text = Sanitizer.GetSafeHtmlFragment(Request.QueryString["ErrorValue"].ToString());
                }

                Session["LoginEmplId"] = null;
                Session["LoginFullName"] = null;
                Session.Abandon();
                Session.Clear();
                Session.RemoveAll();
                Response.Cache.SetCacheability(HttpCacheability.NoCache);
                Response.Buffer = true;
                Response.Cache.SetNoStore();
                Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d);
                Response.Expires = -1000;
                Response.Cookies.Clear();
                Response.CacheControl = "no-cache";
                string[] cookies = Request.Cookies.AllKeys;
                foreach (string cookie in cookies)
                {
                    if (Request.Cookies[cookie] != null)
                    {
                        HttpCookie myCookie = new HttpCookie((cookie).Replace("\r", string.Empty)
                            .Replace("%0d", string.Empty)
                             .Replace("%0D", string.Empty)
                             .Replace("\n", string.Empty)
                             .Replace("%0a", string.Empty)
                             .Replace("%0A", string.Empty)
                            );
                        myCookie.Expires = DateTime.Now.AddDays(-1d);
                        Response.Cookies.Add(myCookie);
                    }
                }
                if (Response.Cookies["SMSESSION"] != null)
                {
                    HttpCookie myCookie = new HttpCookie("SMSESSION");
                    myCookie.Expires = DateTime.Now.AddDays(-1d);
                    Response.Cookies.Add(myCookie);
                }


            }
            catch (HttpRequestValidationException)
            {
                Response.Redirect("~/Home.aspx");
            }
           
        }
        protected void loginbutton_Click(object sender, EventArgs e)
        {
            if (Page.IsValid)
            {
                string[] cookies = Request.Cookies.AllKeys;
                foreach (string cookie in cookies)
                {
                    if (Request.Cookies[cookie] != null)
                    {
                        HttpCookie myCookie = new HttpCookie(cookie);
                        myCookie.Expires = DateTime.Now.AddDays(-1d);
                        Response.Cookies.Add(myCookie);
                    }

                }
                Session["LoginEmplId"] = null;
                Session["LoginFullName"] = null;
                Session.Abandon();
                Session.Clear();
                Session.RemoveAll();
                Response.Cache.SetCacheability(HttpCacheability.NoCache);
                Response.Buffer = true;
                Response.Cache.SetNoStore();
                Response.ExpiresAbsolute = DateTime.Now.AddDays(-1d);
                Response.Expires = -1000;
                Response.CacheControl = ("no-cache");
                Response.Cookies.Clear();
                Response.Redirect("~/Home.aspx");
            }
        }
    }
}



    Wednesday, July 10, 2019 2:54 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User665608656 posted

    Hi RDesh,

    According to your description, the reason for the error should be that viewstate decryption failed.

    I suggest that you can add the information on your aspx page:

    <%@ Page Language="C#" ViewStateEncryptionMode="Never" EnableEventValidation="false"  AutoEventWireup="true" CodeBehind="WebForm_0710_2157572.aspx.cs" Inherits="WebApplication_July.Case_two.WebForm_0710_2157572" %>

    You could also refer to this link : Validation of viewstate MAC failed error

    Best Regards,

    YongQing.

    Thursday, July 11, 2019 6:47 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-173333858 posted

    Hi YongQing,

    I have tried using this solution that you have suggested earlier, the error still remains. Also, I have to scan my project thru Veracode, and am not sure it will pass those scans with the settings disabled. I am wondering if this has got to do with the Visual Studio version. I upgraded to VS 2017, whereas other projects compiled on VS 2014 using same type of logout code work fine. In the link you have suggested, they are saying to upgrade the .Net version. I will be trying that, since I don't have administrative rights to check the version. 

    Hoping to resolve this.

    thanks,

    -Rashmi

    Thursday, July 11, 2019 10:40 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User647896048 posted

    Hi RDesh,

    I've recently had the invalid viewstate message appearing in the Windows Eventlog. From most browsers it would appear randomly, and very occasionally (if ever). From one particular iPhone, it happened every time they accessed the site.

    After much investigation, mainly around cached pages, I finally found the iPhone problem was simply the setting to block cookies on the device.

    It had nothing to do with web farms, machine keys, or anything else that I'd found from searching.

    Note: We are using the ASP.Net State Service, and persisting viewstate at the server.

    While it makes complete sense that the server can't retrieve the viewstate from the ASP.Net State Service without a session, the misleading error message generated by the ASP Framework is a bit of a problem.

    I've tested this on a desktop browser, deleting the cookie, and on the iPhone, changing the block cookies setting.

    6 months on, your probably have an answer by now, but the above may help someone.

    I'm still investigating the random occurrences. They may be related.

    Tuesday, March 3, 2020 9:41 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-173333858 posted

    Hi steveinmalvern,

    Thanks for your reply. Yes, that might be a solution to that problem. Mine was solved my compiling the project on the same older version that it was built on. 

    Thanks!

    -RDesh

    Thursday, March 5, 2020 3:15 PM