5

Possible Duplicate:
purpose for <pages enableEventValidation=“false”>

I have another related question without an answer as yet: my stackoverflow question

However, my problem goes away if I set EnableEventValidation="false".

Now my question is does it make a really big deal if I set this on a MasterPage?

In all the references to setting this to false, no one brings up the security issue other than MSDN.

Any suggestions?

Community
  • 1
  • 1
ComfortablyNumb
  • 1,448
  • 10
  • 37
  • 64
  • Similar Question: http://stackoverflow.com/questions/1503630/purpose-for-pages-enableeventvalidation-false – Zachary Feb 01 '12 at 23:21

1 Answers1

16

Removing event validation decreases the number of security checkpoints within the application. The question is, does it matter?

A simple example where it matters

A user is given 2 options because they are a "Silver" member on a site. They craft a request that actually submits option #3 and are granted a "Gold" privilege that they didn't pay for.

An example where it probably doesn't matter

A user can crafts a request that asserts they live in a country that wasn't in a dropdown list on your page. You are running a transactional, relational database which catches this with a foreign key constraint. The user receives an error and no data is persisted or corrupted.

Am I suggesting to let your database perform validation? certainly not. But in this example, no harm is done.

When in doubt, assume that it does matter and that someone will find a way to break your code.

The Ideal Approach

First, identify why event validation is breaking. In my experience it's usually due to a misuse of page/control design. In 15+ years of .NET development, I have only once seen event validation break the design of a control. That control was so complex it ultimately had to be rewritten. In other words, if event validation causes a problem for your control, you should probably rethink the control's design, not disable event validation.

And finally:

Identify and validate your critical business rules server-side and independently from ASP.NET. Don't rely on a framework to do your job; it's too easy to assume that security is "handled" and leave a gaping hole in your design.

Tim M.
  • 53,671
  • 14
  • 120
  • 163
  • your answer actually helped me deciding what to do? Thanks! – PraveenLearnsEveryday Feb 28 '12 at 10:55
  • Your assumed exploit about the "Gold" privilege should always fail at the server side. Not checking the input values at the server side is very bad design. – Marcel Jan 10 '14 at 10:00
  • 4
    @Marcel - hence the last paragraph in bold, "Identify and validate your critical business rules server-side and independently from ASP.NET." That said, event validation *is* a server-side mechanism. It's better to leave it enabled than do nothing at all. – Tim M. Jan 10 '14 at 17:43
  • @TimMedora So following your addendum, there should be no reason for eventvalidation because your logic is validated serverside anyway, as it should be. Even with event validation, you should assume specially crafted responses are possible. – Slight Jul 27 '15 at 21:04