1

I am getting good old "The security validation for this page is invalid" on Sharepoint 2013, while updating list in Sharepoint, due to button click on an application page.

In browser, I clearly see, that this is a POST request. While debugging, I clearly see Context.Request.HttpMethod == "POST".

I've tried adding FormDigest tag and calling ValidateFormDigest -- did not help.

What helped was the following:

using (SPWeb web = CurrentSite.OpenWeb())
{
        web.AllowUnsafeUpdates = true;
        // List update here 
        web.AllowUnsafeUpdates = false;
}

On MSDN, it is stated, that AllowUnsafeUpdates works only for GET requests.

How is that happening, that it is required even for my POST request? Am I doing everything correct?

Rustem Mustafin
  • 111
  • 1

1 Answers1

2

The point is: you open a new SPWeb object (i.e. you don't use the contextual SPContext.Current.Web managed automatically by SharePoint on each request). Therefore, no FormDigest can help here: FormDigest ensures security on POST request for the contextual SPWeb only.

AllowUnsafeUpdates helps here because it deactivates the security checks (both for GET and for POST requests).
The documentation mentions GET requests only, since they always consider you use the contextual SPWeb: for contextual SPWeb, only GET requests may need AllowUnsafeUpdates, since POST are always OK thanks to the FormDigest control injected via the master page.

Evariste
  • 9,751
  • 2
  • 20
  • 30
  • What does it mean -- "FormDigest control injected via the master page"? When using contextual SPWeb, do I still need to ValidateFormDigest? – Rustem Mustafin Jul 20 '15 at 16:39
  • When using the contextual SPWeb, you don't need ValidateFormDigest, because the FormDigest control (injected by default by default master pages) manages the security checks on the contextual SPWeb for POST requests (but AllowUnsafeUpdates is still needed for GET requests even on the contextual SPWeb). – Evariste Jul 20 '15 at 16:46