CryptographicException:填充无效且无法删除，并且视图状态 MAC 验证失败

CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC failed(CryptographicException:填充无效且无法删除，并且视图状态 MAC 验证失败)

问题描述

监控我的全局异常日志，无论我做什么，这个错误似乎都无法消除，我以为我终于摆脱了它，但它又回来了.您可以在 这里有类似的帖子.

Monitoring my global exception logs this error seems to be impossible to remove no matter what I do, I thought I finally got rid of it but it's back again. You can see a strack trace of the error on a similar post here.

环境注意事项:

IIS 6.0、.NET 3.5 SP1 单一服务器 ASP.NET 应用程序

IIS 6.0, .NET 3.5 SP1 single server ASP.NET application

已经采取的步骤:

  <system.web>
    <machineKey validationKey="big encryption key"
      decryptionKey="big decryption key"
      validation="SHA1" decryption="AES" />

在我所有页面的页面库中

In my Page Base for all of my pages

  protected override void OnInit(EventArgs e)
  {
    const string viewStateKey = "big key value";

    Page.ViewStateUserKey = viewStateKey;
  }

在页面的源代码中，我可以看到所有 ASP.NET 生成的隐藏字段都正确地位于页面顶部.

Also in the source of the page I can see that all of the ASP.NET generated hidden fields are correctly at the top of the page.

推荐答案

首先让我们从一个事实说起，这种视图状态错误发生在 PostBack 上.

First of all lets start from the fact, that this error of view state happens on PostBack.

另外我必须说我已经做了每个人都建议做的所有事情来避免这个问题.我只有一台机器，但有 2 个运行相同页面的池.

Also I must say that I have done all the things that every one suggest to do to avoid this problem. And I have single machine, but 2 pools that run the same Pages.

所以有人采取行动，通过点击"您的页面来寻找一个人、寻找其他搜索机器，或者某个黑客试图检查您的系统是否存在问题...

So someone do an action, ether a man, ether some other search machine by 'clicking' on your pages, or some hacker try to check your system for problems...

我有类似的问题(罕见但存在)，我终于发现人们试图对我的网页进行黑客测试.(来自我拥有的同一个 IP 和 dos 攻击)

I have similar problems (rare but existing ones), and I finally found that people try to hack-test my pages. (from the same IP I have and dos attacks)

我修改函数 LoadPageStateFromPersistenceMedium() 转换视图状态，并通过记录输入的确切内容以及来自哪些 IP 来查看...然后我开始监控这些结果并看到视图状态是手动更改的 - 或者完全是空的.

I modify the function LoadPageStateFromPersistenceMedium() that translate the viewstate, and see by logging what exactly was the input, and from what IPs... then I started monitor these results and see that the view state was changed by hand - or was totally empty.

出错时我只是将他重定向到同一页面...

On error I just redirect him to the same page...

这就是我所做的......

Here is what I did...

public abstract class BasePage : System.Web.UI.Page
{
    protected override object LoadPageStateFromPersistenceMedium()
    {
        try
        {
            .. return the base, or make here your decompress, or what ever...
            return base.LoadPageStateFromPersistenceMedium();            
        }
        catch (Exception x)
        {
            string vsString = Request.Form[__VIEWSTATE];
            string cThePage = Request.RawUrl;

            ...log the x.ToString() error...
            ...log the vsString...
            ...log the ip coming from...
            ...log the cThePage...

        // check by your self for local errors
            Debug.Fail("Fail to load view state ! Reason:" + x.ToString());
        }

        // if reach here, then have fail, so I reload the page - maybe here you
        // can place somthing like ?rnd=RandomNumber&ErrorId=1 and show a message
        Responce.Redirect(Request.RawUrl, true);        

        // the return is not used after the redirect
        return string.Empty;
    }    
}

第二个原因

现在发生这种情况还有一个原因，原因是在加载 __EVENTVALIDATION 之前有人单击了您的页面.

Second Reason

Now there is one more reason why this can happen, and the reason is because some one click on your page before the __EVENTVALIDATION is loaded.

这个 eventValidation 被放置在最后一个按钮上——即使是 asp.net 找到的那个按钮，如果你在页面上的很多地方或者按钮附近都有一些，那么这个就到页面的末尾.

This eventValidation is placed on the last button-even that asp.net found, and if you have some of them on many place on the page, or near the button, then this go to the end of the page.

所以即使你看到页面顶部的视图状态，验证在哪里???也许这从未加载过 - 页面损坏?，用户点击页面太快?

So even if you see the viewstate on the top of the page, where is the Validation ??? maybe this never loaded - page corrupt ?, too fast user click on page ?

<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" ... >

为避免此类问题，我制作了一个简单的 javascript，除非已加载此输入，否则我不会让它按下按钮！！！.

To avoid this kind of problem I made a simple javascript that I do not let it press the button unless this input have been loaded !!!.

还有一条评论，__EVENTVALIDATION 并不总是存在！因此，如果您制定通用解决方案，则不要搜索此字段可能更安全，而是制作一个 javascript 技巧来检查是否已加载整个页面，或者您认为的其他内容.

One more comment, the __EVENTVALIDATION is not always presents ! so is maybe safer not to search for this field if you make a general solution, but to make a javascript trick to just check if the full page is loaded, or something else that you think.

这是我使用 jQuery 的最终解决方案:(请注意，如果 eventvalidation 存在，我会检查 PageLoad！).我把它放在我的 MasterPages 上.

Here is my final solution with jQuery: (note that I check on PageLoad if eventvalidation exist !). I have this placed on my MasterPages.

<script language="javascript" type="text/javascript">
    function AllowFormToRun()
    {
        var MyEventValidation = $("#__EVENTVALIDATION");

        if(MyEventValidation.length == 0 || MyEventValidation.val() == ""){
            alert("Please wait for the page to fully loaded.");
            return false;
        }

        return true; 
    }       
</script>

protected void Page_Load(object sender, EventArgs e)
{
    // I do not know if Page can be null - just in case I place it.
    if (Page != null && Page.EnableEventValidation)
    {
        Form.Attributes["onsubmit"] = "return AllowFormToRun();";
    }
}

您可以通过在页面按钮附近放置延迟来进行测试.

You can test by placing near the button of your page a delay.

<% System.Threading.Thread.Sleep(5000); %>

更新

今天我在日志中再次看到 WebResource 的这条消息，我发现机器人获取页面并将链接上的所有字符都设为小写，包括参数，所以这是没有得到正确编码字符串的另一个原因，并抛出类似 Padding is invalid and cannot be removed.

Update

Today I see in log this message again for WebResource and what I discover is that a bot getting the pages and make all the character on the links in lower case, including the parameters, so this was one more reason to not getting the correct encoded string, and throw a message like Padding is invalid and cannot be removed.

希望这对您有更多帮助.

Hope this help you more.

这篇关于CryptographicException:填充无效且无法删除，并且视图状态 MAC 验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持编程学习网！