Why do I get "Invalid postback or callback argument" Errors?

Introduction:

This is the first post of mine so thought of starting with a simple but tricky issue which I came across in few support incidents I have handled. I had a scenario where one of my customers was getting an error message like -

Invalid Postback or callback argument . Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page. For security purposes, this feature verifies that arguments to Postback or callback events originate from the server control that originally rendered them. If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the Postback or callback data for validation.

Many of us get this error message often, either in the event viewer or on the page itself. But what does it signify? When does it come up? What we can do to eliminate this exception due to coding mistakes?

What does it signify?

In ASP.NET 2.0 we have added a feature called event validation. Event validation checks the incoming POST request to ensure that the event causing the Postback / callback is valid and the event which triggered the Postback /callback is expected by the Runtime. If the runtime finds a Postback / callback by an event which is not registered for validation, it throws an exception. This has been added in ASP.NET 2.0 explicitly to prevent the attack to the application by spoofing a Postback. Event validation can help prevent injection attacks from malicious users who are trying to POST data by an event which does not come up from the controls registered to the page.

You can enable or disable this feature by simply setting up Property EnableEventValidation = true in the web.config or on the page level. By default it is enabled. You can find more information about this property in the MSDN link.

So this is about all the “good” which event validation signifies. Agreed that this is a very good security feature which helps preventing script injection attacks but if it is coming during the normal execution of an application, the exception is not expected and does not hold “good” anymore. That is where we need to troubleshoot and find out the problem area.

When does it come up? What we can do to eliminate this exception due coding mistakes?

As I have already spoken about the script injection attack can cause this exception, we should not bother about why it is coming up. Rather in that case we can track down the client who is trying to inject the attack and take appropriate action. So I will rather focus upon the scenarios when it comes up due some coding mistakes.

These mistakes are many in number so I would rather cover just a couple of them in this Post:

1. You have migrated an ASP.NET application from version 1.1 to version 2.0. In 1.1 we had to manipulate the "Select" button column for selecting the record and we normally set the visible property of this button column to FALSE.

The button column has "LinkButton" /”Button” for selecting records and we manually do a Postback using the __dopostback() method.

Agreed that the "LinkButton" /”Button” should register this method for event validation by internally calling the ClientScript.RegisterForEventValidation(). But with the “Visible” property set to FALSE, the control is not rendered and therefore control is not registered for EventValidation by ASP.NET 2.0. However, the DataGrid still utilizes this event. Since the event is not registered, it results in the above error.

In this scenario manually registering the client script for each DataGrid rows will help.

You can simply loop through the rows as mentioned in below code.

protected override void Render(HtmlTextWriter writer)

{

foreach (DataGridItem row in DataGrid1.Items)

ClientScript.RegisterForEventValidation(row.UniqueID.ToString() +":_ctl0");

base.Render(writer);

}

So this signifies that if you are not rendering the control then it is not registered for the validation internally. You need to do that manually using the RegisterForEventValidation function.

2. You have an ASP.NET 2.0 application which has a page with a lot of Javacript adding dynamic controls. On the POST of this particular page you will get the above mentioned exception for Invalid Postback or callback argument. This happens if Javascript is adding a FORM tag as well as adding dynamic controls resulting in the nested form Tags.

This can be reproduced quite easily as well –

In Default.aspx have the below code -

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs"

Inherits="_Default" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

"https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="https://www.w3.org/1999/xhtml" >

<head runat="server">

<title>Untitled Page</title>

</head>

<body>

<form id="form1" runat="server">

<div>

<asp:Button ID="Button1" runat="server" Text="Button" />

<form></form>

</div>

</form>

</body>

</html>

So this signifies that if you have nested form tags the above mentioned error message will come up.

So with these two scenarios I will stop at this point. I hope this first post of mine might help you and happy reading.

Comments

• Anonymous
  July 31, 2007
  Welcome to the blogging world Amit!!!

• Anonymous
  August 01, 2007
  Welcome in the family :-)

• Anonymous
  September 09, 2007
  Hi.. What must be done to avoid this error? I am using ASP.NET 2.0. I am getting this error in RaisePostBackEvent.

• Anonymous
  September 21, 2007
  You need to use ClientScript.RegisterForEventValidation() for the control causing the postback.You can share the code and I can have a look.

• Anonymous
  September 26, 2007
  The comment has been removed

• Anonymous
  September 26, 2007
  There are couple of things which you can try to avoid such error. First is simply set EnableEventValidation = false and supress the validation itself.Else you need to make sure the ClientScript.RegisterForEventValidation() is done for the control on click of which you are doing the postback.

• Anonymous
  November 12, 2007
  the progress bar is processing.. and later i click stop button and then i got that error...

• Anonymous
  November 12, 2007
  the progress bar is processing.. and later i click stop button and then i got that error...

• Anonymous
  November 13, 2007
  The comment has been removed

• Anonymous
  November 19, 2007
  Hi Win, I have seen this coming if the postback is incomplete as well. Can you please confirm if it comes up even if the postback is complete and I can dig in a bit accordingly?

• Anonymous
  November 22, 2007
  Hi Babacrash, I was trying to repro the scenario which you were talking about. But till now I was not able to achive it yet. May be we can have an email thread going to get to a workaround.

• Anonymous
  November 27, 2007
  The comment has been removed

• Anonymous
  December 17, 2007
  Thanks for the article very informative!

• Anonymous
  January 08, 2008
  Hi amitsh -- The hidden __EVENTVALIDATION field is added near the bottom of the page and, on a slow connection, if I cause a postback while the page is still loading I get this exception. Disabling event validation fixes the problem but is doing that not a security concern?Michael (mediawhole at hotmail)

• Anonymous
  January 09, 2008
  It is always a security risk if we disable event validation. I will suggest to disble the postback before the form is fully loaded itself.

• Anonymous
  January 09, 2008
  Hi Philip, I thik you know the answer to your question. Partial postback is causing this issue. You can eliminate that and the error will go away. You can share the sample if you need help in removing it.

• Anonymous
  February 19, 2008
  HowdyHow can you identify what control on the page is the problem.  I have this error occurring occasionally but not enough to track it down.  I can't "Make" it happen.  My guess is its tied to the AJAX framework but don't have enough to act on it.Thanksdbl

• Anonymous
  April 09, 2008
  The comment has been removed

• Anonymous
  April 11, 2008
  Hi Nathan,Seems like for the first callback the first ddl was registered for the callback but for the subsequent callback it is not being registered. You can actually register the first ddl for callback using ClientScript.RegisterForEventValidation  in Render event.

• Anonymous
  May 01, 2008
  The comment has been removed

• Anonymous
  May 29, 2008
  hiiiThis Error Comes Some times And Sometimes not why this happen i can't understand this Sinario.http://webaspdotnet.blogspot.com/

• Anonymous
  June 03, 2008
  This comes for one of the user of my application when user clicks on the Submit button of the page. can't understand why only one user is getting this error.can anybody suggest any solution - without any code change.

• Anonymous
  June 06, 2008
  I've got this error using ASP.NET 1.1 !and can't use ClientScript.RegisterForEventValidation;so how to solve the problem?Thanks

• Anonymous
  June 06, 2008
  Solved!I solved this problem using FrontPage to put Wep Parts on ASP pages!

• Anonymous
  June 06, 2008
  http://aspnet.4guysfromrolla.com/demos/printPage.aspx?path=/articles/122006-1.aspx   Public Overrides Sub VerifyRenderingInServerForm(ByVal control As Control)       '###this removes the no forms error by overriding the error   End Sub   Public Overrides Property EnableEventValidation() As Boolean       Get           Return False       End Get       Set(ByVal value As Boolean)           'DO NOTHING       End Set   End Property

• Anonymous
  October 29, 2008
  Hello There, Set EnableEventvalidation=false caused any security reason or not ???<a href="http://dotnet-magic.blogspot.com/"> ASP.net Discussion</a>

• Anonymous
  November 13, 2008
  Someone knows how to solve this problem.

• Anonymous
  November 14, 2008
  Sorry for being a bit late for responses. Can you guys please post your queries directly to me via email so that I can respond faster?

• Anonymous
  November 19, 2008
  Hi thereI have read almost everypost(virtually) regarding this issue, but my case is a bit different. I even get this error on a simple aspx page having a simple form textboxes and drop downs when there is a page delay and i click the button (titled cancel, and redirects to main page)at the bottom.As EventValidation comes last contrary to ViewState so if one clicks the button postback occurs, EventValidation is not there ERRORAny clue?

• Anonymous
  November 22, 2008
  Thanks a ton. U solved my problem. The problem was with "nested form tags". I removed them and done!!!

• Anonymous
  December 04, 2008
  Hi,Thanks for this nice article. Could you please let me know whether session timeOut can be a reason for the above mentioned exception. If so, what are all the things we should take care?Regards...

• Anonymous
  January 09, 2009
  For me, it seemed that it was because I was adding a GridView control in the edit cell of another Gridview (don't ask)... and I had AutoGenerateDeleteButton="true"... seems the auto generated controls were just too much for it... but put it in manually... evertying was fine - no need for the RegisterForEventValidation function call either.... sigh.

• Anonymous
  January 12, 2009
  I got this problem because page was not well formed. I'd ported from simple page to one with naster page and left </body> & </form> tags at bottom.This MAY be your underlying cause.Good luckDave

• Anonymous
  January 25, 2010
  I had the same error.I was using a custom built control that was a gridview in an update panel. When sorting or changing the page of the grid, I would get this error.From reading this blog I have realized why the error was occurring. My co was being placed in a div tag that was set to visible = false at page load. For this reason the custom control objects were not rendering at page load.

• Anonymous
  January 28, 2010
  I had the same problem in when using a SharePoint custom field control.  The control had three asp dropdownlists and there was javascript/jQuery to populate the drop down list items and toggle visibility of the controls.  I had the problem only when the drop down lists were initally rendered with no items server side, i.e. when empty drop down list controls were sent to the client and then populated with javascript/jQuery.  If I added a dummy item to each control on the server side (after checking that I wasn't posting back), and then cleaned out the drop down list controls and populated them again with the correct items using javascript/jQuery, everything worked fine...

• Anonymous
  March 03, 2010
  This post is a life saver. Thank you very much !

• Anonymous
  May 02, 2010
  In my case, I used a ListBox that was populated on server end and rendered to the client, and it was throwing me the abovementioned error on postback..turns out one of the listbox.items had a .value which inherited a NUL character from the source data that I was populating from.. (ie: string terminator)... I did a Replace(myString, vbNullChar, "") on the value as part of my listbox values generation method and all worked like a charm without any modification to web.config or <@page...> settings.Hope someone finds this useful and can finally go to sleep like me. :)Cheers

• Anonymous
  May 12, 2010
  am having this exception when creating dropdown controls dynamically on server side and filling values on client using json ajax call request towards my webservice. json is working fine as i see the json string returned by server. it fills the dropdown with data on first click. and there after the exception in the subject appears. the only thing i should definetely specify here is, am calling the server button click event on clinte using clientscript.GetPostBackEventReferenceA ton of thanks if someone could help me to come out of this trouble.

• Anonymous
  July 05, 2010
  Great article. I am able to fix the problem...Gr8 job

• Anonymous
  April 03, 2011
  It is caused because the page load event is being called twice but it's not occurring just because you've not got certain code inside the "not is postback" part.It's because if you have event validation enabled and are running .NET 2 then this will be placed at the bottom of the form. If you click a button or do something that causes postback before the page has loaded then you will see this error but only if you are on .NET 2 as they have fixed it in .NET 3.5 SP1.To get it working on .NET 2 (but you need SP2 installed) you need to edit your Web.config file and add:<configuration>   <system.web>       <pages renderAllHiddenFieldsAtTopOfForm="true"></pages>   </system.web></configuration>Done!

• Anonymous
  September 01, 2011
  Hi every one,my code is as follows<%@ Page Language="C#" MasterPageFile="~/loginmater.master" Title="Content Page" %><asp:Content ID="Content1" ContentPlaceHolderID="ContentPlaceHolder1" runat="server">   <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "www.w3.org/.../xhtml1-transitional.dtd">   <script runat="server">       protected void Button1_Click(object sender, EventArgs e)       {           if (uid.ToString() == "monu" && pwd.ToString() == "monu123")               Response.Redirect("loggedin.aspx");           else               Console.Write("invalid user or password");       }</script>............if i click the button the script must run and the page should redirect to "loggedin.aspx"wat should be done