0

I built a site that's running on a two load-balanced servers (web-farm), after a while I had to do the following:

at the login page, when the user enters user-name and pass, if the user is valid then I'm abandoning the session and creating a new one as follows:

protected void btnLogin_Click(object sender, EventArgs e)
        {
            var Token = Guid.Empty;
            try
            {
                if (IsValidCaptcha())
                {
                    string email = txtEmail.Text.Trim();
                    string pw = txtPassword.Text.Trim();                      

                    AbandonSession();//Delete any existing sessions
                    var newSessionId = CreateSessionId(HttpContext.Current); //Create a new SessionId
                    SetSessionId(HttpContext.Current, newSessionId);

                    Token = SecureLogin.Login(email, pw, LangCode);

                }
                else
                {
                    lblMsg.Style.Add("display", "block");
                }
            }
            catch (Exception)
            {
                Token = Guid.Empty;
                lblMsg.Style.Add("display", "block");
            }

            if (Token != Guid.Empty)
            {
                Response.Redirect($"HiddenPage.aspx?token={Token.ToString()}", false);
            }
            else
            {
                lblMsg.Style.Add("display", "block");
            }

        }


protected void AbandonSession()
        {
            Session.Clear();
            Session.Abandon();
            Session.RemoveAll();
            if (Request.Cookies["ASP.NET_SessionId"] != null)
            {
                Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
                Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
            }
            if (Request.Cookies["__AntiXsrfToken"] != null)
            {
                Response.Cookies["__AntiXsrfToken"].Value = string.Empty;
                Response.Cookies["__AntiXsrfToken"].Expires = DateTime.Now.AddMonths(-20);
            }
        }

        private string CreateSessionId(HttpContext httpContext)
        {
            var manager = new SessionIDManager();

            string newSessionId = manager.CreateSessionID(httpContext);

            return newSessionId;
        }

        public void SetSessionId(HttpContext httpContext, string newSessionId)
        {
            try
            {
                var manager = new SessionIDManager();

                manager.SaveSessionID(httpContext, newSessionId, out bool redirected, out bool cookieAdded);
            }
            catch(Exception ex)
            {
                SmtpMailer.SendMsg(ex.Message + ex.StackTrace + ex.InnerException, "", "");
            }

        }

This is one of the requirements for the site and I can't change it at all (changing the session after login to the site).

after applying this approach, I started getting this error almost in every page in the site (every now and then).

Event code: 4009  
        Event message: Viewstate verification failed. 
        Reason: The viewstate supplied failed integrity check.  
        Event time: 1/22/2019 2:53:36 PM  
        Event time (UTC): 1/22/2019 7:53:36 PM  
        Event ID: 5ffacfa116224c9f8f516ead8a89cc55  
        Event sequence: 378  
        Event occurrence: 1  
        Event detail code: 50203    
        Application information: 
        Application domain: /LM/W3SVC/2/ROOT-1-131926597583461452 
        Trust level: Full 
        Application Virtual Path: / 
        Application Path: ........... 
        Machine name: ..............    Process information: 
        Process ID: 6624 
        Process name: w3wp.exe 
        Account name: IIS APPPOOL\..............    Request information: 
        Request URL: ............../qConsole/CampaignGroup-Launch.aspx
        Request path: /qConsole/CampaignGroup-Launch.aspx 
        User host address: .............. 
        User:  
        Is authenticated: False 
        Authentication Type:  
        Thread account name: IIS APPPOOL\..............

I double checked (a) the machine key /decryption key is the same on both servers in load balancing, and (b) that they are not set to auto generate

and also I added this code to Global.asax 

protected void Session_Start(object sender, EventArgs e)
        {
            Session.Timeout = 60;
        }

and I have this set in the web.config file

<sessionState timeout="25" />

I have a feeling that the issue I'm having revolves around the feature I added (creating new sessionId after the login page), any ideas or thoughts are really appreciated.

Update:

i tried this and it didn't solve at all

Viewstate verification failed. Reason: The viewstate supplied failed integrity check.

Thanks.

B.Simboliq
  • 55
  • 7
  • 1
    Possible duplicate of [Viewstate verification failed. Reason: The viewstate supplied failed integrity check.](https://stackoverflow.com/questions/18451882/viewstate-verification-failed-reason-the-viewstate-supplied-failed-integrity-c) – mjwills Jan 23 '19 at 22:18
  • 1
    Consider setting up an mcve ([mcve]). Create a minimal template application and add the bare minimum of code to reproduce the problem. – H H Jan 23 '19 at 22:18
  • 2
    Read my comments again. I'm predicting you won't get much help this way. It's time for a new approach. – H H Jan 23 '19 at 22:24
  • Please show us the contents of your web.config file. – mjwills Jan 23 '19 at 22:32
  • Do you really need `ViewState`? How hard would it be to change your app to not require it? – mjwills Jan 23 '19 at 22:32
  • @mjwills i never used it at all! as i said that I recently had this issue, but in the past 3 years i never got this issue till i changed the login approach – B.Simboliq Jan 23 '19 at 22:34
  • Writing an .aspx Form without ViewState is pretty difficult, if not impossible. It is the backbone of WebForms. – H H Jan 25 '19 at 10:17

0 Answers0