What's the point of RegisterForEventValidation and ValidateEvent?  
Author Message
Steve Abel





PostPosted: Visual C# General, What's the point of RegisterForEventValidation and ValidateEvent? Top

I don't get it!!!!

This is with reference to this arcticle on Client Callback with Validation -> http://www.hide-link.com/

I don't see what the additional RegisterForEventValidation and ValidateEvent calls gives you.

It seems to be an attempt to tie the call to a particular control but all the control references are hard-coded on the server-side. In the example given you could just as easily use any word you liked for the unique reference in these two calls (as long as they match). They don't seem to need to bear any relation to the controls on the web page.

Hopefully I'm completely missing the point. Is so, can someone please explain it to me.

Thanks.



Visual C#17  
 
 
TaylorMichaelL





PostPosted: Visual C# General, What's the point of RegisterForEventValidation and ValidateEvent? Top

Event validation was added in v2.0 to reduce the attack surface of ASP.NET applications. Prior to v2.0 it was possible to intercept a page request and modify the event information that was being sent. For example assume that you had a page that displayed the users of a site. Within this page there were buttons to edit a user and delete them. If a client selected the edit option then a hacker (snooping on the network) could intercept the request, change the event request from edit to delete and then forward the page onto the server. Viewstate, which is itself secure, only helps secure data sent from the server. In v2.0 MS has secured the event data coming from the client. If the event data is not right the postback will fail.

The purpose of the methods you mentioned are to allow controls to hook into this system to validate events they raised. Normally this is only done for controls that also implement IPostbackEventHandler. Do a quick Google on EVENTVALIDATION to get a bunch of links to this whole concept and potential issues it causes.

Michael Taylor - 12/5/06