Wednesday, August 29, 2012

SharePoint 2010 The Security Validation for This Page is Invalid Error

Recently while working on a custom application page that added items to a List, I was getting "The security validation for this page is invalid." error.  The full error message is "The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again."



This was extremely annoying and caused me a few headaches.  Googling came up with a ton of blog posts about setting web.AllowUnsafeUpdates = true was the solution.  I did not find this to be the case.

Some other posts brought up the need for a FormDigest control on your page.  This led me to the solution that worked for me.

From the MSDN page "To make posts from a Web application that modify the contents of the database, you must include the FormDigest control in the form making the post. The FormDigest control generates a security validation, or message digest, to help prevent the type of attack whereby a user is tricked into posting data to the server without knowing it. The security validation is specific to a user, site, and time period and expires after a configurable amount of time. When the user requests a page, the server returns the page with security validation inserted. When the user then submits the form, the server verifies that the security validation has not changed."

The key piece of information I found in here was the following line: "The security validation is specific to a user, site, and time period and expires after a configurable amount of time."

From my testing, I had a web and list under the following structure:
  • http://sp2010/sites/dept/dept1
  • http://sp2010/sites/dept/dept1/Lists/TestList/AllItems.aspx
My custom application page would take some input from the user and then add items to the TestList under the Dept1 web.

Now being an application page that gets put in the Layouts folder, I could access this page from any url that uses the _layouts url, like the following:
  • http://sp2010/sites/dept/dept1/_layouts/MyCustomAppPage/apppage.aspx
  • http://sp2010/_layouts/MyCustomAppPage/apppage.aspx
Both of the above URLs would render the page and post, but the first one will prove to be the winner.

Here is the fix:
  1. If your MasterPage does not already have the FormsDigest control, add it to your application page.

    You'll need to add the declaration to the top of your page: <%@ Register Tagprefix="SharePoint" Namespace="Microsoft.SharePoint.WebControls" Assembly="Microsoft.SharePoint, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>

    Next add the control to the Main section of your page:
    <SharePoint:FormDigest ID="FormDigest1" runat="server" />
  2. Now, ensure you only call your page via a URL that includes the web.  Again, from the MSDN article: "The security validation is specific to a user, site, and time period and expires after a configurable amount of time."  So, after I added the FormDigest control to my page and using the 2 URLs from above, the second continued to fail.  This is because the list I was trying to update lived under the Dept1 web.  Once I started using the first URL (http://sp2010/sites/dept/dept1/_layouts/MyCustomAppPage/apppage.aspx), the error disappeared.
Hopefully this post will help anyone who can't get the web.AllowUnsafeUpdates = true solution to work.

Enjoy!

No comments:

Post a Comment