Well, for some reason, I decided to test an obscure case today… I was happily greeted by an error page saying that my viewstate was fucked. What? I thought to myself… “This is awesome! Leave it to MS and their skilled button monkey to test viewstate issues, right?” Sorry it’s been a little while since I ranted about MS… I have plenty of crap that’s been building up inside me (mostly related to the stinky pile they call Visual Studio 2005), and maybe I can unleash it all to the world some day in the near future.
Anyway… This issue has to do with asp.net 1.1 and I’m about 96% sure that this has to do with some recent security “improvements” that I made to my web.config. I decided to use authorization elements in my main web.config to control who has access to various files/directories in the system.
My web.config looked something like:
<configuration>
<system.web>
<authorization>
<deny users=”?” />
</authorization>
</system.web>
<location path=”Default.aspx”>
<system.web>
<authorization>
<allow users=”*” />
</authorization>
</system.web>
</location>
<location path=”login.aspx”>
<system.web>
<authorization>
<allow users=”*” />
</authorization>
</system.web>
</location>
<location path=”Themes”>
<system.web>
<authorization>
<allow users=”*” />
</authorization>
</system.web>
</location>
<location path=”js”>
<system.web>
<authorization>
<allow users=”*” />
</authorization>
</system.web>
</location>
</configuration>
What this basically says is that everyone can access default.aspx, login.aspx, the Themes directory, and the js directory. Everything else is limited to logged in users.
Now, for some reason, I decided to add the control I use to log in on to my default.aspx page as well as the login.aspx page. When I tried logging in via default.aspx, I got the lovely viewstate error (Invalid character in Base-64 string).
Allowing access to all files fixes the error… but as an alternative, I just removed “everyone” access to the default.aspx page for now. In the future, I’ll remove the login control from that page, but it doesn’t really matter right now. You have to be logged in to see anything useful right now.
Finding any information related to this was a bitch. Actually, to be completely truthful, I didn’t find anything just worked it out on my own. Thanks MS. If there is a plus side to any of this, I guess it would be that I got to enjoy rebooting my box.