Microsoft.SharePoint.SPException: The security validation for this page is invalid. in SharePoint 2010

  • Article

If you write the following code in a asmx web service to create site in SharePoint 2010

    1: SPSite site = null;
    2: SPSecurity.RunWithElevatedPrivileges(() =>
    3: {
    4:     SPSiteSubscription subscription = SPSiteSubscription.Create();
    5:     site = webApp.Sites.Add(subscription, siteUrl, title, description, lcid, webTemplate, ownerLogin, ownerName, ownerEmail, null, null, null, useHostHeaderAsSiteName); // exception
    6:     site.AdministrationSiteType = SPAdministrationSiteType.TenantAdministration;
    7: });

You will see the following exception :-

Microsoft.SharePoint.SPException: The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again. ---> System.Runtime.InteropServices.COMException: The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.

at Microsoft.SharePoint.Library.SPRequestInternalClass.SetSiteQuota(String bstrUrl, UInt16 quotaId, Int64 diskQuota, Int64 diskWarning, Int32 userQuota, Double resourceUsageMaximum, Double resourceUsageWarning, Boolean bForSSC)

at Microsoft.SharePoint.Library.SPRequest.SetSiteQuota(String bstrUrl, UInt16 quotaId, Int64 diskQuota, Int64 diskWarning, Int32 userQuota, Double resourceUsageMaximum, Double resourceUsageWarning, Boolean bForSSC)

   --- End of inner exception stack trace ---

at Microsoft.SharePoint.SPGlobal.HandleComException(COMException comEx)

at Microsoft.SharePoint.Library.SPRequest.SetSiteQuota(String bstrUrl, UInt16 quotaId, Int64 diskQuota, Int64 diskWarning, Int32 userQuota, Double resourceUsageMaximum, Double resourceUsageWarning, Boolean bForSSC)

at Microsoft.SharePoint.Administration.SPQuota.Update()

at Microsoft.SharePoint.SPSite.set_Quota(SPQuota value)

at Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPContentDatabase database, SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, String quotaTemplate, String sscRootWebUrl, Boolean useHostHeaderAsSiteName)

  at Microsoft.SharePoint.Administration.SPSiteCollection.Add(SPSiteSubscription siteSubscription, String siteUrl, String title, String description, UInt32 nLCID, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, String secondaryContactLogin, String secondaryContactName, String secondaryContactEmail, Boolean useHostHeaderAsSiteName)

   at WSS4WS.ProvisioningService.<>c__DisplayClass5.<CreateSite>b__0() in C:\Projects\Web Services\WSS4WS\WSS4WS\ProvisioningService.asmx.cs:line 77

   at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass4.<RunWithElevatedPrivileges>b__2()

   at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)

   at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(WaitCallback secureCode, Object param)

   at Microsoft.SharePoint.SPSecurity.RunWithElevatedPrivileges(CodeToRunElevated secureCode)

   at WSS4WS.ProvisioningService.CreateSite(String webApplicationName, String siteUrl, String title, String description, UInt32 lcid, String webTemplate, String ownerLogin, String ownerName, String ownerEmail, Boolean useHostHeaderAsSiteName)

Operating System: Windows Server 2008

Time Zone: (GMT-08:00) Pacific Time (US & Canada)

Though the above code snippet works perfectly fine in console application but asmx is webrequest and SharePoint handles web request differently. All the webrequest validated with the FromDigest control. To get rid-off from this error message, we can change the web application validation settings in Central Administration > Web Application General Settings Page.

image

Got to page “Web Page Security Validation” and select Security Validation is “Off” radio button.  

image

But this will off the page validation for the complete web application and you can’t take this risk.

To resolve this we have web application’s from digest settings property which we can turf before executing the code and turn on once the site has been created using the SharePoint object Model.

Disabling the from digest :-

SPWebapplication.FormDigestSettings.Enabled = false;

Enabling the from digest :-

SPWebapplication.FormDigestSettings.Enabled = true;

SPWebapplication’s FromDigestSettings property is type of SPFormDigestSettings which related to Web page security validation. The security validation is specific to a user, site, and time period and expires after a configurable amount of time. When the user requests a page, the server returns the page with security validation inserted. When the user then submits the form, the server verifies the security validation and if it has changed, program execution is halted and a security exception is raised.