自从安装ASP.NET Oracle Padding vunerability的安全修补程序以来,任何保持自己登录到我们站点的用户在访问任何页面时都会收到错误消息。
服务器上记录的错误是
System.Web.UI.ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer:
Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl
关闭自定义错误后,用户会看到以下信息
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Referer:
Path: /]
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90
此问题的解决方案是删除所有Cookie并重新登录,但显然普通用户不会知道这样做,我担心他们会认为我们的网站已损坏。
我有什么可以做的,比如强迫登录的人再次登录?
感谢你提供任何帮助
答案 0 :(得分:2)
可能没有避免这种情况。如果他们更改了密钥生成/验证代码,则所有当前生成的密钥cookie现在都将无效。
您可以使用global.asax(或httpmodule)中的错误句柄捕获异常,并尝试从用户计算机中删除表单身份验证Cookie。
这可能会使事情奏效。
答案 1 :(得分:0)
我说这不知道是不是真的。或补丁但是:
如果在应用程序中发生这种情况,请尝试捕获导致错误页面的异常并建立一个自定义页面,说明继续执行所需的步骤。 如果它发生在服务器上,可能有一大堆设置(在IIS中)可能有任何用途,也可能没用。
答案 2 :(得分:0)
您所描述的内容看起来不像无效的ViewState,但身份验证Cookie无效。
如果你肯定是ViewState,那么他们就会提交他们在浏览器中打开的页面/它与cookie没有关系。
至于auth cookies我希望asp.net授权重定向到你的登录页面。你是否正在使用auth票/ cookies进行任何定制?