advice on error

[Chris Hadden]

I had a customer unable to checkout today. They were getting an error and that was reported as:

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.; Invalid viewstate. Client IP: 74.103.149.56 Port: 59039 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/29.0.1547.66 Safari/537.36 ViewState: /wEPDwUKMTMwOTE0ND.....


My web host says this:

This means that you should add a static machine key to your site's web.config file. This is a configuration setting that will prevent people from receiving invalid viewstate errors. This tool can be used to create a static machine key:

http://aspnetresources.com/tools/machineKey

Then you'll just need to copy and paste the text it generates into the appropriate section of the web.config file on your site. Before making any changes we recommend making a backup copy of your site's web.config file. I believe it goes into the section called system.web but I'd advise consulting with your site developer first as they should be able to determine the correct place to put it.


Would appreciate guidance on where to place file or anything else I need to know before attempting.

Thanks
Chris

[jmestep]

We put it in the location below- right before the custom errors tag. Here is code you could use.
Before you do this, backup and download your encryption keys because adding a machine key will make it so that your shipping gateways might not work and your charge card payment details might not work. Right now, your encryption depends on the web server's machine key and when you add one into your web.config the encryption will change.

Code: Select all

<system.web>
	<machineKey validationKey="3ADB04F3A74F7D1C44AB38CC72838A3C5F58792F8E6507798DFC71A0AEA6FD5EC38101409ED4807BC774C85A45EBA6CDF2192934184578A8997D1DF4C73D7381" decryptionKey="D80277EB0B46BAB24469F61AAEE70851E190E44A09289C7F" validation="SHA1" />
    <customErrors mode="On" defaultRedirect="~/Errors/GeneralError.aspx">
      <error statusCode="404" redirect="~/Errors/PageNotFound.aspx" />
    </customErrors>

[Chris Hadden]

Thanks for the help. I am a bit confused on where this web.config file is. I see several of them......The host says " it goes into the section called "system.web" what is the path to this correct file I am not seeing it.

Thanks
Chris

I'm using able 7.0.2

[Katie]

It is in the web.config that resides in the root (parent) folder of your installation. Every install path varies, so just find the top-most web.config and that will be it.

If it helps, here is a FAQ for more information on this issue - http://help.ablecommerce.com/faqs/ablec ... e_key_.htm

Thanks
Katie

[Chris Hadden]

Thank you for the advice, I did as you suggested and it seems to have fixed the flood of errors I was getting. Now that those are gone....... I can see other different errors. Not knowing what they mean perhaps people can help on those too. There are a number of different ones so I will just try to tackle them one at a time, I am getting quite a few that look like this

An error has occured xxx.cameojewelrysupply.com/WebResource.axd?d=pPuJBBcZ_7OcVjdzojcf-QsoSwpJDHCdpwbY2UYrQiEhOW5kimyySKA8FGNE83SQYQ4BffukYZ71XRsc2p4tgZXdEmgS_7i631PkYdoTk89YrcOY0&t=633807563642819121

This is an invalid webresource request.

I replaced the www so you could see the link, otherwise it was shortened........What does this mean? Where are these long strings being generated from?

Thanks

[jmestep]

That one is harder to figure out because of the encrypted string. See if you can find out the ip address of the customer from the error display in the admin or App_Data/Logs/app.log. Then look up the ip address and see who it is. It could be a spider.

[Chris Hadden]

Well I didn't get to far on this, the app log does not include the ip, I then asked my web host if they could tell, I do have a time stamp. The response from them was:
"Looking at the logs there are various IP
addresses going to that URL"

They gave me a couple to look at the first was a bing bot, but the others looked like normal USA IP's
So I don't know where to go on this or if it actually has any detrimental issue on the site? I just don't know.... I have not heard any complaints


So let me ask about another one maybe this is easier. I am getting lots of errors saying :

ERROR- http://www.cameojewelrysupply.com/categ ... egoryid=88
The state information is invalid for this page and might be corrupted.; Invalid viewstate. Client IP: 85.250.170.20 Port: 3461 User-Agent: Mozilla/4.0 (compatible; Synapse) ViewState: 4osjcnopqppau kxoithzxu6zg7nlk5lw9bi3yhvjdzsniwgzdnob6klcszeycszw4jpc2yw7day7xoug4kwm9ksci2xtq/0y..........

Now this is a good address and resolves to a page on my web site, I see no error generated, What I notice is that the IP's that are causing the error are all from overseas to countries I rarely sell to, one was Israel, one was El Salvador, one was Sweden so I am suspect of them but not sure why the error is showing in the log, any thoughts on this one??? Thanks for all the help.

[jmestep]

I'm not sure I'm remembering correctly, but I think some of them might come from a customer doing something on a page, like clicking a button, before the page has been fully loaded. I can see why that might happen more when customers are in different countries, depending on how far away they are from the server, for one thing. I think in newer versions of 7, Able has code to not log those errors.

[Katie]

Judy, you did remember correctly. In version 7.0.3 we fixed the invalid viewstate errors. Now, I 'think' that the changes are all within the global.asax file, so Chris, you might be able to fix this without upgrading - but no guarantees, so please backup your file before implementing these changes!!

To Prevent scan errors from recording to log:
Edit the Global.asax -

FIND:

Code: Select all

protected void Application_Error(Object sender, EventArgs e)
{

DELETE all lines AFTER line above and before the ending </script>

ADD THIS REPLACEMENT CODE:

Code: Select all

        // ENABLE ERROR LOGGING FOR SCRIPTS OUTSIDE OF THE INSTALL DIRECTORY
        if (!HttpContextHelper.IsInstallRequest())
        {
            // RECORD THE DETAILS TO THE AC ERROR LOG
            HttpContext ctx = HttpContext.Current;
            Exception exception = ctx.Server.GetLastError();

            // IGNORE INVALID VEIW STATE ERRORS
            if (IsViewStateException(exception)) return;
            string errorInfo = "An error has occured at " + ctx.Request.Url.ToString();
            Logger.Error(errorInfo, exception);
        }
}
    private bool IsViewStateException(Exception exception)
    {
        if (exception == null) return false;
        if (exception is ViewStateException) return true;
        return IsViewStateException(exception.InnerException);
    }

[jmestep]

Katie, I think that is all he needs. I think I applied it to an older version of Able once.

[Chris Hadden]

Thanks for the answer, I am just getting back to it. I am looking at that global.asax file and all the lines of code you say to delete. It doesn't look like the new code I am pasting in .... covers all I am taking out? I don't know enough about it but there is code about cookies and SQL attacks ....should I really get rid of that? Here is what I would be deleting per instructions

//TERMINATE SQL INJECTION ATTEMPTS
int maxQueryLength = 500;
string rawUrl = Request.RawUrl;
int qIndex = rawUrl.IndexOf("?");
if (qIndex > -1)
{
string query = Request.RawUrl.Substring(qIndex).ToUpperInvariant();
if (query.Length > maxQueryLength || query.Contains("DECLARE%20"))
{
//POTENTIAL ATTACK
Response.Clear();
Response.Write("INVALID REQUEST");
Response.Flush();
Response.End();
}
}
//CHECK FOR "NEW COOKIE PLEASE" INDICATOR
string ncp = Request.QueryString["NCP"];
if (ncp != null)
{
HttpCookie authCookie = Response.Cookies["AC7.ASPXAUTH"];
if (authCookie != null) authCookie.Expires = DateTime.Now.AddYears(-1);
HttpCookie anonCookie = Response.Cookies["AC7.ASPXANONYMOUS"];
if (anonCookie != null) anonCookie.Expires = DateTime.Now.AddYears(-1);
HttpCookie sessionCookie = Response.Cookies["AC7.SESSIONID"];
if (sessionCookie != null) sessionCookie.Expires = DateTime.Now.AddYears(-1);
Response.Redirect(Request.Url.AbsolutePath);
}
}

protected void Session_OnStart()
{
//SAVE THE REFERRER FOR USE BY THE ORDER MODULE
if (Request.UrlReferrer != null) Session["SessionReferrerUrl"] = StringHelper.Truncate(Request.UrlReferrer.ToString(), 255);
}

protected void Application_Error(Object sender, EventArgs e)
{
// At this point we have information about the error
HttpContext ctx = HttpContext.Current;
Exception exception = ctx.Server.GetLastError();

string errorInfo = "An error has occured at " + ctx.Request.Url.ToString();
Logger.Error(errorInfo, exception);

//Do not clear error. Let it bubble up to the custom error pages
//ctx.Server.ClearError ();
}

</script>

[Katie]

You are removing/replacing the code AFTER this line:

Code: Select all

protected void Application_Error(Object sender, EventArgs e)

If it's easier, I found a direct link to the new Global.asax file here:

ftp://ftp.ablecommerce.com/patches/Glob ... UG8604.zip

I would go ahead and use this one instead. Keep in mind that the version you are using is 7.0.3 and this was added to version 7.0.4, but I see no reason why it won't work. Again, just make a backup in case there are any problems.

Thanks,
Katie