自ASP.NET Oracle填充漏洞安全修补程序以来无效的Viewstate

2019年8月1日 191次阅读

自从安装ASP.NET Oracle Padding vunerability的安全修补程序以来,任何保持自己登录到我们站点的用户在访问任何页面时都会收到错误消息.

服务器上记录的错误是

System.Web.UI.ViewStateException: Invalid viewstate. 
Client IP: xxx.xxx.xxx.xxx
Port: 55796
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) Gecko/2008052906 Firefox/3.0
ViewState: l4nsXEvWcOwlDpmdbxw916bpHoPiqdBP7Syb+zCQAv44xv/r3oLtETKTL28/Gts6
Referer: 
Path: /product/4795/fender-usa-deluxe-stratocaster-mn-olympic-white-pearl

关闭自定义错误后,用户会看到以下信息

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 


[ViewStateException: Invalid viewstate. 
Client IP: xxx.xxx.xxx.xxx
Port: 3588
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6.5; .NET CLR 2.0.50727; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
ViewState: s0toPCu7bxkB7a3G+KTxawY3ILf1qunZyIqNBKg8xSoqY2BkWIUCJAHKFKo2RnJw
Referer: 
Path: /]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +118
System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +13
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +238
System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +5
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +90

这个问题的解决方案是删除所有cookie并重新登录,但显然普通用户不会知道这样做,我担心他们只会认为我们的网站已损坏.

有什么我可以做的就像强迫登录的人再次登录？

感谢您的帮助

最佳答案可能没有避免这种情况.如果他们更改了密钥生成/验证代码,则所有当前生成的密钥cookie现在都将无效.

您可以使用global.asax(或httpmodule)中的错误句柄捕获异常,并尝试从用户计算机中删除表单身份验证cookie.

这可能会导致事情发生.