The security validation for this page is invalid in SharePoint
While doing coding you must be familiar with following error.
The above error you will face in two cases.
1. When you do updates in GET requests.
2. When you have a least permissions in the SharePoint site, create or update an item.
3. Even though you have full permissions you may face this error in Post requests.
When you do search for resolution in google every one suggest to use following statement.
web.AllowUnsafeUpdates = true;
...
...
web.AllowUnsafeUpdates = false;
But we should only use above property when you are doing any updates in GET request it means page load event. Allowing updates in page load might allow Cross-site request forgery (CSRF or XSRF) security attacks due to this by default SharePoint will not allow any updates in the site especially in GET requests. So If you have a situation that you must have to do some item update then you can use above property to disable security valiation. But be careful while using this because AllowUnsafeUpdates = true will turn off the security validation so once your operation is over then don't forget to set false to this property.
In the case of least permissions if you are trying to update any item obviously you will get access denied error. In that case we will do impersonation to update items. As you all know there are two ways to do impersonation one is RunWithElevatedPriviliges and another option is instantiating SPSite object with high priviliged user token. Here if your code is not properly elevated you may get access denied or above security error. One thing you have to make sure is whatever the objects you are using for updations must be instantiated inside elevated block then only the impersonation works properly. If you are still face above exception call the following method first then do rest of the code. Microsoft always recommends to use following statement whenever you are dealing with SharePoint API.
SPUtility.ValidateFormDigest();
The SharePoint master page contains a FormDigest Control and it inserts the security validation on the aspx page. So for your web parts or user controls or aspx pages it is better to call this method explicity to avoid above validation error.
One more important point about Form Digest:
Cross-site request forgery (CSRF or XSRF) is an attack that tricks the victim's browser into performing an unwanted action on the victim's behalf. For example, this type of attack could result in transferring funds, changing a password, or purchasing an item.
Validate the Form Digest Canary Before Processing a Postback
An attacker can post to pages in SharePoint even if the attacker is not able to run script in the domain. If you browse to a page owned by the attacker, he could perform operations on SharePoint using your credentials.
For example, the attacker might control a page at http://contoso123. When you browse to his page, it posts to http://wingtip/_layouts/deleteweb.aspx using your credentials. If you have administrator's permissions on http://wingtip, this would delete the http://wingtip website.
Hence before processing postback request it is recommended to call a method SPUtility.ValidateFormDigest().
“The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again”
The above error you will face in two cases.
1. When you do updates in GET requests.
2. When you have a least permissions in the SharePoint site, create or update an item.
3. Even though you have full permissions you may face this error in Post requests.
When you do search for resolution in google every one suggest to use following statement.
web.AllowUnsafeUpdates = true;
...
...
web.AllowUnsafeUpdates = false;
But we should only use above property when you are doing any updates in GET request it means page load event. Allowing updates in page load might allow Cross-site request forgery (CSRF or XSRF) security attacks due to this by default SharePoint will not allow any updates in the site especially in GET requests. So If you have a situation that you must have to do some item update then you can use above property to disable security valiation. But be careful while using this because AllowUnsafeUpdates = true will turn off the security validation so once your operation is over then don't forget to set false to this property.
In the case of least permissions if you are trying to update any item obviously you will get access denied error. In that case we will do impersonation to update items. As you all know there are two ways to do impersonation one is RunWithElevatedPriviliges and another option is instantiating SPSite object with high priviliged user token. Here if your code is not properly elevated you may get access denied or above security error. One thing you have to make sure is whatever the objects you are using for updations must be instantiated inside elevated block then only the impersonation works properly. If you are still face above exception call the following method first then do rest of the code. Microsoft always recommends to use following statement whenever you are dealing with SharePoint API.
SPUtility.ValidateFormDigest();
The SharePoint master page contains a FormDigest Control and it inserts the security validation on the aspx page. So for your web parts or user controls or aspx pages it is better to call this method explicity to avoid above validation error.
One more important point about Form Digest:
Cross-site request forgery (CSRF or XSRF) is an attack that tricks the victim's browser into performing an unwanted action on the victim's behalf. For example, this type of attack could result in transferring funds, changing a password, or purchasing an item.
Validate the Form Digest Canary Before Processing a Postback
An attacker can post to pages in SharePoint even if the attacker is not able to run script in the domain. If you browse to a page owned by the attacker, he could perform operations on SharePoint using your credentials.
For example, the attacker might control a page at http://contoso123. When you browse to his page, it posts to http://wingtip/_layouts/deleteweb.aspx using your credentials. If you have administrator's permissions on http://wingtip, this would delete the http://wingtip website.
Hence before processing postback request it is recommended to call a method SPUtility.ValidateFormDigest().
good one sir ji
ReplyDelete