Microsoft now no longer recongizes enableViewStateMAC=false. How to Suppress the ViewState MAC Error?

Question

User1421602847 posted

Beginning in a recent OS Patch, you can no longer disable the ViewState MAC check.  Microsoft says this is because using this is a security risk and they know better than you. While that may be true, there are many cases where application may not be able to avoid a ViewStateMAC error. And so Microsoft's decision to FORCE you to use it can adversely affect your application. One example is an application that dynamically adds fields to a form based on database settings. An administrator decides to remove a field from a form while a user has the form open in a browser. The field is removed and then the user submits his form to the server. The application attempts to rebuild the form but now with one less field and guess what happens! The user is rewarded with a ViewState error. I have a client where this is now occurring after the server OS was patched.

I personally do not appreciate Microsoft forcing us to use security feature...it simply should be our choice. Regardless if you agree or disagree, it has left many of us with broken applications. Does anyone know if we can at least suppress the application error from getting generated so that the user does not see an error condition?

Thanks in Advance.

Answer 1

User-734925760 posted

Hi,

According to your description, I think you need to make some custom checking for your application, also you can try to use __VIEWSTATE form field.

There is a blog about this, please refer to the link below:

http://blogs.msdn.com/b/webdev/archive/2014/09/09/farewell-enableviewstatemac.aspx

Hope it's useful for you.

Best Regards,

Michelle Ge

Answer 2

User1421602847 posted

Thanks Michelle. Yes we can detect a ViewStateMAC error but the page fails none-the-less. So the underlying problem is that we have to identify what is causing the ViewStateMAC errors and has proved to be an impossible task so far. We have researched thousands of pages and tried every suggestion. We are now trying to rewrite the pages to use not VIEWSTATE at all which completely defeats the purpose of this great feature. The web is littered with bazillions of users fighting this error. My client had to resort to using enableViewStateMAC=false and now that is no longer an option. Since we did not see the bulletin about this change and my client has production servers with pages crashing, have tried everything MS suggest to fix these and have no tools to identify the cause. This could bring down their small business.

My point was that you can perform completely valid coding that can cause ViewStateMAC checksums to change while a ViewStateMAC change could be a security attack, 99.9% of the time it is not. But MS decides it so dangerous that it must match every time. Of all the problems, ASP.NET security, MS had to choose this one to shove down our throats?