Why do I get "Invalid postback or callback argument" Errors?


Introduction:

 

This is the first post of mine so thought of starting with a simple but tricky issue which I came across in few support incidents I have handled. I had a scenario where one of my customers was getting an error message like –

Invalid Postback or callback argument . Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page.  For security purposes, this feature verifies that arguments to Postback or callback events originate from the server control that originally rendered them.  If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the Postback or callback data for validation.

 

Many of us get this error message often, either in the event viewer or on the page itself. But what does it signify? When does it come up? What we can do to eliminate this exception due to coding mistakes?

 

What does it signify?

 

In ASP.NET 2.0 we have added a feature called event validation. Event validation checks the incoming POST request to ensure that the event causing the Postback / callback is valid and the event which triggered the Postback /callback is expected by the Runtime. If the runtime finds a Postback / callback by an event which is not registered for validation, it throws an exception.  This has been added in ASP.NET 2.0 explicitly to prevent the attack to the application by spoofing a Postback. Event validation can help prevent injection attacks from malicious users who are trying to POST data by an event which does not come up from the controls registered to the page.

You can enable or disable this feature by simply setting up Property EnableEventValidation = true in the web.config or on the page level. By default it is enabled. You can find more information about this property in the MSDN link. 

So this is about all the “good” which event validation signifies. Agreed that this is a very good security feature which helps preventing script injection attacks but if it is coming during the normal execution of an application, the exception is not expected and does not hold “good” anymore. That is where we need to troubleshoot and find out the problem area.

 

When does it come up? What we can do to eliminate this exception due coding mistakes?

As I have already spoken about the script injection attack can cause this exception, we should not bother about why it is coming up. Rather in that case we can track down the client who is trying to inject the attack and take appropriate action. So I will rather focus upon the scenarios when it comes up due some coding mistakes.

These mistakes are many in number so I would rather cover just a couple of them in this Post:

1.     You have migrated an ASP.NET application from version 1.1 to version 2.0. In 1.1 we had to manipulate the "Select" button column for selecting the record and we normally set the visible property of this button column to FALSE.

The button column has "LinkButton" /”Button” for selecting records and we manually do a Postback using the __dopostback() method.

Agreed that the "LinkButton" /”Button” should register this method for event validation by internally calling the ClientScript.RegisterForEventValidation(). But with the “Visible” property set to FALSE, the control is not rendered and therefore control is not registered for EventValidation by ASP.NET 2.0. However, the DataGrid still utilizes this event. Since the event is not registered, it results in the above error.

In this scenario manually registering the client script for each DataGrid rows will help.

You can simply loop through the rows as mentioned in below code.

            protected override void Render(HtmlTextWriter writer)

{

foreach (DataGridItem row in DataGrid1.Items)

ClientScript.RegisterForEventValidation(row.UniqueID.ToString() +":_ctl0");

base.Render(writer);

}

 

So this signifies that if you are not rendering the control then it is not registered for the validation internally. You need to do that manually using the RegisterForEventValidation function.

 

2.     You have an ASP.NET 2.0 application which has a page with a lot of Javacript adding dynamic controls. On the POST of this particular page you will get the above mentioned exception for Invalid Postback or callback argument. This happens if Javascript is adding a FORM tag as well as adding dynamic controls resulting in the nested form Tags.

This can be reproduced quite easily as well –

In Default.aspx have the below code –

  

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs"

Inherits="_Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >

<head runat="server">

<title>Untitled Page</title>

</head>

<body>

<form id="form1" runat="server">

<div>

<asp:Button ID="Button1" runat="server" Text="Button" />

<form></form>

</div>

</form>

</body>

</html>

 

So this signifies that if you have nested form tags the above mentioned error message will come up.

 

So with these two scenarios I will stop at this point. I hope this first post of mine might help you and happy reading.


Comments (41)

  1. imRahulSoni says:

    Welcome to the blogging world Amit!!!

  2. Saur212 says:

    Welcome in the family 🙂

  3. venkatesh says:

    Hi..

    What must be done to avoid this error? I am using ASP.NET 2.0. I am getting this error in RaisePostBackEvent.

  4. Meet2 says:

    You need to use ClientScript.RegisterForEventValidation() for the control causing the postback.

    You can share the code and I can have a look.

  5. emonti says:

    I am getting this error for only a few customers and is infrequent. I just spoke with a user and they told me the rotating banner (new logic and allows flash banners to rotate) on the top of the page was not displaying but a red square, green octagon and blue triangle displayed instead. I had them refresh the page and the banner appeared and the symbols went away and they could continue but the logged in page had the same symbols for banner(refresh cleared it up). We also have a login control(new logic too) that has a javascript onclick event for people logged in.

    With most customers not having a problem, i don’t know that a fix like the ones recommended are what is required. Any ideas?

  6. Meet2 says:

    There are couple of things which you can try to avoid such error. First is simply set EnableEventValidation = false and supress the validation itself.

    Else you need to make sure the ClientScript.RegisterForEventValidation() is done for the control on click of which you are doing the postback.

  7. win says:

    the progress bar is processing.. and later i click stop button and then i got that error…

  8. win says:

    the progress bar is processing.. and later i click stop button and then i got that error…

  9. Babacrash says:

    I have got a problem with this: I use a component from Infragistics (a tabbed panel control).

    To add a close button to the tabs, I use a submit button in a form located in the name of each tab. As a result, I’ve got nested forms: outside are the tags of the whole page, and inside the tabbed component, are the <form> tags of the buttons.

    I can’t put the Infragistics component outside of the ‘runat=server’ tag…

    Do you see any way to "unnest" this?

    Thanks a lot in advance.

  10. Meet2 says:

    Hi Win, I have seen this coming if the postback is incomplete as well. Can you please confirm if it comes up even if the postback is complete and I can dig in a bit accordingly?

  11. Meet2 says:

    Hi Babacrash, I was trying to repro the scenario which you were talking about. But till now I was not able to achive it yet. May be we can have an email thread going to get to a workaround.

  12. Philip says:

    Hi

    I am having real problems with this error.

    I have a page which contains (a) a user control ‘search box’, which uses some Ajax controls [AutocompleteExpender and TextBoxWatermarkExtender] and (b) another user control with a text box and simple buttons ‘for setting the number of rows visible in a GridView’.

    These two user controls are contained in an UpdatePanel with the rest of the page not being enclosed in an UpdatePanel (Not my choice, but a management decision).

    To refresh the rest of the page outside the UpdatePanel when a user searches or sets the rows using ether of the user control I am using the following code in there respective chick events

    ScriptManager.RegisterStartupScript(this.Page, typeof(string), "formSubmit", "document.forms[0].submit();", true);

    No mater how I try I can not find which control is causing the error. The screen shot from the error does not give much of a clue, and when trace is enabled I get Render errors cause by the partial postback which happens before the error is hit.

    Any suggestion would be most grateful.

  13. David says:

    Thanks for the article very informative!

  14. michhes says:

    Hi amitsh — The hidden __EVENTVALIDATION field is added near the bottom of the page and, on a slow connection, if I cause a postback while the page is still loading I get this exception. Disabling event validation fixes the problem but is doing that not a security concern?

    Michael (mediawhole at hotmail)

  15. Meet2 says:

    It is always a security risk if we disable event validation. I will suggest to disble the postback before the form is fully loaded itself.

  16. Meet2 says:

    Hi Philip, I thik you know the answer to your question. Partial postback is causing this issue. You can eliminate that and the error will go away. You can share the sample if you need help in removing it.

  17. dbl says:

    Howdy

    How can you identify what control on the page is the problem.  I have this error occurring occasionally but not enough to track it down.  I can’t "Make" it happen.  My guess is its tied to the AJAX framework but don’t have enough to act on it.

    Thanks

    dbl

  18. Nathan says:

    I m using two dropdownlists within a

    update panel using ajax. Here what happens

    is I ve written a code for dropdownlist

    SelectedIndexChanged event that performs

    selection of this dropdownlist will give a

    input to the next dropdownlist. the second

    ddl will fill its contents based on the

    first ddl input. it works fine at first

    time when i refresh the page one more time

    and was selecting the first ddl. it shows

    alert message Invalid postback or callback argument. What should i do now. please help

    me    

  19. Meet2 says:

    Hi Nathan,

    Seems like for the first callback the first ddl was registered for the callback but for the subsequent callback it is not being registered. You can actually register the first ddl for callback using ClientScript.RegisterForEventValidation  in Render event.

  20. Ginny says:

    I have a page with a dropdownlist control and I have a javascript that the user can execute to add another item to the dropdownlist control.  If the added item is the selected item when the page posts back then I get this error.  What control needs to be entered in the ClientScript.RegisterForEventValidation method?  When I enter the dropdownlist control I still get the error and when I enter the button control that is posting the page back I still get the error.  So if you could please advise on what control needs to be entered in that method I would greatly appreciate it!

    Thanks!

    Ginny

  21. Ketan says:

    hiii

    This Error Comes Some times And Sometimes not why this happen i can’t understand this Sinario.

    http://webaspdotnet.blogspot.com/

  22. Abha says:

    This comes for one of the user of my application when user clicks on the Submit button of the page. can’t understand why only one user is getting this error.

    can anybody suggest any solution – without any code change.

  23. babak says:

    I’ve got this error using ASP.NET 1.1 !

    and can’t use ClientScript.RegisterForEventValidation;

    so how to solve the problem?

    Thanks

  24. babak says:

    Solved!

    I solved this problem using FrontPage to put Wep Parts on ASP pages!

  25. mangokun says:

    http://aspnet.4guysfromrolla.com/demos/printPage.aspx?path=/articles/122006-1.aspx

       Public Overrides Sub VerifyRenderingInServerForm(ByVal control As Control)

           ‘###this removes the no forms error by overriding the error

       End Sub

       Public Overrides Property EnableEventValidation() As Boolean

           Get

               Return False

           End Get

           Set(ByVal value As Boolean)

               ‘DO NOTHING

           End Set

       End Property

  26. Ketan says:

    Hello There,

     Set EnableEventvalidation=false caused any security reason or not ???

    <a href="http://dotnet-magic.blogspot.com/"&gt; ASP.net Discussion</a>

  27. Someone knows how to solve this problem.

  28. Meet2 says:

    Sorry for being a bit late for responses. Can you guys please post your queries directly to me via email so that I can respond faster?

  29. Emad says:

    Hi there

    I have read almost everypost(virtually) regarding this issue, but my case is a bit different. I even get this error on a simple aspx page having a simple form textboxes and drop downs when there is a page delay and i click the button (titled cancel, and redirects to main page)at the bottom.

    As EventValidation comes last contrary to ViewState so if one clicks the button postback occurs, EventValidation is not there ERROR

    Any clue?

  30. Robin says:

    Thanks a ton. U solved my problem. The problem was with "nested form tags". I removed them and done!!!

  31. JK says:

    Hi,

    Thanks for this nice article. Could you please let me know whether session timeOut can be a reason for the above mentioned exception. If so, what are all the things we should take care?

    Regards…

  32. Puzsol says:

    For me, it seemed that it was because I was adding a GridView control in the edit cell of another Gridview (don’t ask)… and I had AutoGenerateDeleteButton="true"… seems the auto generated controls were just too much for it… but put it in manually… evertying was fine – no need for the RegisterForEventValidation function call either…. sigh.

  33. hounddog howley says:

    I got this problem because page was not well formed. I’d ported from simple page to one with naster page and left </body> & </form> tags at bottom.

    This MAY be your underlying cause.

    Good luck

    Dave

  34. Nathan says:

    I had the same error.

    I was using a custom built control that was a gridview in an update panel. When sorting or changing the page of the grid, I would get this error.

    From reading this blog I have realized why the error was occurring. My co was being placed in a div tag that was set to visible = false at page load. For this reason the custom control objects were not rendering at page load.

  35. Paul says:

    I had the same problem in when using a SharePoint custom field control.  The control had three asp dropdownlists and there was javascript/jQuery to populate the drop down list items and toggle visibility of the controls.  I had the problem only when the drop down lists were initally rendered with no items server side, i.e. when empty drop down list controls were sent to the client and then populated with javascript/jQuery.  If I added a dummy item to each control on the server side (after checking that I wasn’t posting back), and then cleaned out the drop down list controls and populated them again with the correct items using javascript/jQuery, everything worked fine…

  36. Andy says:

    This post is a life saver. Thank you very much !

  37. Stan says:

    In my case, I used a ListBox that was populated on server end and rendered to the client, and it was throwing me the abovementioned error on postback..

    turns out one of the listbox.items had a .value which inherited a NUL character from the source data that I was populating from.. (ie: string terminator)… I did a Replace(myString, vbNullChar, "") on the value as part of my listbox values generation method and all worked like a charm without any modification to web.config or <@page…> settings.

    Hope someone finds this useful and can finally go to sleep like me. 🙂

    Cheers

  38. rams says:

    am having this exception when creating dropdown controls dynamically on server side and filling values on client using json ajax call request towards my webservice. json is working fine as i see the json string returned by server. it fills the dropdown with data on first click. and there after the exception in the subject appears. the only thing i should definetely specify here is, am calling the server button click event on clinte using clientscript.GetPostBackEventReference

    A ton of thanks if someone could help me to come out of this trouble.

  39. Himanshu Saraswat says:

    Great article. I am able to fix the problem…Gr8 job

  40. Justin says:

    It is caused because the page load event is being called twice but it's not occurring just because you've not got certain code inside the "not is postback" part.

    It's because if you have event validation enabled and are running .NET 2 then this will be placed at the bottom of the form. If you click a button or do something that causes postback before the page has loaded then you will see this error but only if you are on .NET 2 as they have fixed it in .NET 3.5 SP1.

    To get it working on .NET 2 (but you need SP2 installed) you need to edit your Web.config file and add:

    <configuration>

       <system.web>

           <pages renderAllHiddenFieldsAtTopOfForm="true"></pages>

       </system.web>

    </configuration>

    Done!

  41. pradeep says:

    Hi every one,

    my code is as follows

    <%@ Page Language="C#" MasterPageFile="~/loginmater.master" Title="Content Page" %>

    <asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" runat="server">

       <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/…/xhtml1-transitional.dtd"&gt;

       <script runat="server">

           protected void Button1_Click(object sender, EventArgs e)

           {

               if (uid.ToString() == "monu" && pwd.ToString() == "monu123")

                   Response.Redirect("loggedin.aspx");

               else

                   Console.Write("invalid user or password");

           }

    </script>

    ….

    ….

    ….

    if i click the button the script must run and the page should redirect to "loggedin.aspx"

    wat should be done

Skip to main content