CryptographicException:填充无效且无法移除且视图状态 MAC 验证失败 [英] CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC failed
问题描述
监控我的全局异常日志,无论我做什么,这个错误似乎都无法消除,我以为我终于摆脱了它,但它又回来了.您可以在 这里有类似的帖子.
Monitoring my global exception logs this error seems to be impossible to remove no matter what I do, I thought I finally got rid of it but it's back again. You can see a strack trace of the error on a similar post here.
环境注意事项:
IIS 6.0、.NET 3.5 SP1 单服务器 ASP.NET 应用程序
IIS 6.0, .NET 3.5 SP1 single server ASP.NET application
已经采取的步骤:
<system.web>
<machineKey validationKey="big encryption key"
decryptionKey="big decryption key"
validation="SHA1" decryption="AES" />
在我所有页面的页面库中
In my Page Base for all of my pages
protected override void OnInit(EventArgs e)
{
const string viewStateKey = "big key value";
Page.ViewStateUserKey = viewStateKey;
}
同样在页面的源代码中,我可以看到所有 ASP.NET 生成的隐藏字段都正确地位于页面顶部.
Also in the source of the page I can see that all of the ASP.NET generated hidden fields are correctly at the top of the page.
推荐答案
首先让我们从这个视图状态错误发生在 PostBack 的事实开始.
First of all lets start from the fact, that this error of view state happens on PostBack.
另外我必须说我已经做了每个人建议的所有事情来避免这个问题.我有一台机器,但有 2 个运行相同页面的池.
Also I must say that I have done all the things that every one suggest to do to avoid this problem. And I have single machine, but 2 pools that run the same Pages.
所以某人做某事,通过点击"您的页面来访问某个人,访问其他搜索机器,或者某个黑客试图检查您的系统是否存在问题...
So someone do an action, ether a man, ether some other search machine by 'clicking' on your pages, or some hacker try to check your system for problems...
我遇到了类似的问题(罕见但存在的问题),我终于发现人们试图对我的网页进行黑客测试.(来自我拥有的同一个 IP 和 dos 攻击)
I have similar problems (rare but existing ones), and I finally found that people try to hack-test my pages. (from the same IP I have and dos attacks)
我修改函数 LoadPageStateFromPersistenceMedium() 转换视图状态,并通过记录输入的确切内容以及来自哪些 IP 来查看...然后我开始监视这些结果并看到视图状态是手动更改的 - 或者完全为空.
I modify the function LoadPageStateFromPersistenceMedium() that translate the viewstate, and see by logging what exactly was the input, and from what IPs... then I started monitor these results and see that the view state was changed by hand - or was totally empty.
出错时,我只是将他重定向到同一页面...
On error I just redirect him to the same page...
这就是我所做的...
public abstract class BasePage : System.Web.UI.Page
{
protected override object LoadPageStateFromPersistenceMedium()
{
try
{
.. return the base, or make here your decompress, or what ever...
return base.LoadPageStateFromPersistenceMedium();
}
catch (Exception x)
{
string vsString = Request.Form[__VIEWSTATE];
string cThePage = Request.RawUrl;
...log the x.ToString() error...
...log the vsString...
...log the ip coming from...
...log the cThePage...
// check by your self for local errors
Debug.Fail("Fail to load view state ! Reason:" + x.ToString());
}
// if reach here, then have fail, so I reload the page - maybe here you
// can place somthing like ?rnd=RandomNumber&ErrorId=1 and show a message
Responce.Redirect(Request.RawUrl, true);
// the return is not used after the redirect
return string.Empty;
}
}
第二个原因
现在发生这种情况还有另外一个原因,原因是有人在加载 __EVENTVALIDATION 之前单击了您的页面.
Second Reason
Now there is one more reason why this can happen, and the reason is because some one click on your page before the __EVENTVALIDATION is loaded.
这个 eventValidation 被放置在最后一个按钮上——即使是那个 asp.net 找到的,如果你在页面的很多地方或按钮附近有一些,那么这会转到页面的末尾.
This eventValidation is placed on the last button-even that asp.net found, and if you have some of them on many place on the page, or near the button, then this go to the end of the page.
所以即使你看到页面顶部的视图状态,验证在哪里???也许这从未加载 - 页面损坏?,用户点击页面太快?
So even if you see the viewstate on the top of the page, where is the Validation ??? maybe this never loaded - page corrupt ?, too fast user click on page ?
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" ... >
为了避免这种问题,我做了一个简单的javascript,除非这个输入已经加载,否则我不会让它按下按钮!!!.
To avoid this kind of problem I made a simple javascript that I do not let it press the button unless this input have been loaded !!!.
还有一条评论,__EVENTVALIDATION 并不总是出现!因此,如果您提出通用解决方案,则不搜索此字段可能更安全,而是使用 javascript 技巧来检查是否已加载整个页面或您认为的其他内容.
One more comment, the __EVENTVALIDATION is not always presents ! so is maybe safer not to search for this field if you make a general solution, but to make a javascript trick to just check if the full page is loaded, or something else that you think.
这是我使用 jQuery 的最终解决方案:(请注意,如果 eventvalidation 存在,我会检查 PageLoad !).我已将此放在我的 MasterPages 上.
Here is my final solution with jQuery: (note that I check on PageLoad if eventvalidation exist !). I have this placed on my MasterPages.
<script language="javascript" type="text/javascript">
function AllowFormToRun()
{
var MyEventValidation = $("#__EVENTVALIDATION");
if(MyEventValidation.length == 0 || MyEventValidation.val() == ""){
alert("Please wait for the page to fully loaded.");
return false;
}
return true;
}
</script>
protected void Page_Load(object sender, EventArgs e)
{
// I do not know if Page can be null - just in case I place it.
if (Page != null && Page.EnableEventValidation)
{
Form.Attributes["onsubmit"] = "return AllowFormToRun();";
}
}
您可以通过在页面按钮附近放置一个延迟来进行测试.
You can test by placing near the button of your page a delay.
<% System.Threading.Thread.Sleep(5000); %>
更新
今天我在日志中再次看到 WebResource 的这条消息,我发现一个机器人获取页面并将链接上的所有字符都设为小写,包括参数,所以这是无法获得正确编码字符串并抛出类似填充无效且无法删除的消息的另一个原因.
Update
Today I see in log this message again for WebResource and what I discover is that a bot getting the pages and make all the character on the links in lower case, including the parameters, so this was one more reason to not getting the correct encoded string, and throw a message like Padding is invalid and cannot be removed.
希望这对您有更多帮助.
Hope this help you more.
这篇关于CryptographicException:填充无效且无法移除且视图状态 MAC 验证失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
