ASP.NET 4.0 MAC validation failure

Question

To begin, I should mention that I'm quite new to C# and ASP.NET 4.0. The solution to this problem may be elementary so don't hesitate to ask fundamental questions.

I've inherited an ASP.NET 4.0 application that failed our automated security test because of <page enableViewStateMac="false"> (not my fault). Of course, I turned it on. At that point a very specific pattern of behavior emerged:

1) I can navigate to the application landing page

2) attempting to click on any link leaving the landing page results in a "Validation of viewstate MAC failed..." error.

2a) the exception to this is that clicking on the link that takes me to the landing page (the page I'm already on) works just fine

I should mention that navigation to other ASPs occurs by way of Response.Redirect(...). I can successfully navigate to a page if I enter the url directly into the nav bar ( http://dummyhost.com:12345/Enroll.aspx as opposed to http://dummyhost.com:12345/LandingPage.aspx and then clicking on enroll).

In the Page_Init() method of the master page, I'm setting:

Page.ViewStateUserKey = Session.SessionID;

If I comment out this line, I can turn on MAC and the application is perfectly happy. Can anyone illuminate what's going on?

Answer 1

The most likely cause is that some landing-page-specific data is being submitted to the server and persisting through the call to Response.Redirect, so the enrollment page tries to read the landing-page-specific data and fails the request since the data cannot be interpreted correctly.

Instead of using Response.Redirect, consider using <a href="Enroll.aspx">...</a> directly in your markup when you want to generate a simple link. This will cause the browser to make a vanilla HTTP GET request to the specified resource, free of any current-page-specific date.