Monday, September 03, 2007

The security validation for this page is invalid.

When writing code for sharepoint, you may encounter the error "The security validation for this page is invalid. Click Back in your Web browser..." and so on. A lot has been written on this, with many different people touting different solutions. For example SpiderWool says to turn on security validation for the application.
This is not recommended, and not required as one of the comments said - all you need to do before you update the list item or web object is to set "AllowUnsafeUpdates" to true for the SPWeb and SPSite objects.
But some of the other comments in the same post complain that it didn't help them. Well, most probably the reason is that they created the SPWeb or SPSite objects in another function and then tried to update an object that was returned from the function. Here are two examples of the same code, where one will work and the other will not:
Bad Example:
The code calls a function to get the list, where the SPWeb and SPSite are created in the function.

using (SPSite site = new SPSite(parentSiteUrl))
{
        site.AllowUnsafeUpdates = true;
        using (SPWeb web = site.OpenWeb())
        {
            web.AllowUnsafeUpdates = true;
            SPList list = GetList("mylist");
            _listItem = clientsList.Items.Add();
            _listItem["Title"] = "test";
            _listItem.Update();                    }
        }
}
private SPList GetList(string name)
{
   using (SPSite site = new SPSite(parentSiteUrl))
   {
        site.AllowUnsafeUpdates = true;
        using (SPWeb web = site.OpenWeb())
        {
            web.AllowUnsafeUpdates = true;
            SPList list = web.Lists["mylist"];
            return list;
        }
   }
}

Good Example:
Loading the SPSite and SPWeb object only once and using them to get the list.

using (SPSite site = new SPSite(parentSiteUrl))
{
        site.AllowUnsafeUpdates = true;
        using (SPWeb web = site.OpenWeb())
        {
            web.AllowUnsafeUpdates = true;
            SPList list = web.Lists["mylist"];
            _listItem = clientsList.Items.Add();
            _listItem["Title"] = "test";
            _listItem.Update();                    }
        }
}

8 comments:

Anonymous said...

I used the code snipet that was provided. Anonymous user fills the form and submits it and I need to update the list. After setting the AllowunsafeUpdates to true I see that the site shows the Administrator is signed in. Any idea how to update the list but not implicitly signing on the Admin?
Thanks,

Anonymous said...

You rock!!!!! I've been going mad and loking in all the wrong places! Thank you very much.

Danko Greiner said...

his did it for me:

Using site As New SPSite(applicationURL)
Using web As SPWeb = site.OpenWeb()
Dim projectSite As SPWeb = web.Webs(siteName)

projectSite.AllowUnsafeUpdates = True

Dim wa As Administration.SPWebApplication
wa = site.WebApplication
wa.FormDigestSettings.Enabled = False


Turn off the Security validation from the Administration > Operations WAS not Required

Nuno Caneco said...

It worked for me, too!

I'm posting a link to your post on my own blog. I hope you don't mind...

Thanks,

Nuno Caneco

Anonymous said...

I love you.

Anonymous said...

Thanks so much ...

Your posts are brilliant... No wonder bing / google turns up your post in first few results ...

Next time around I have a problem I am going to hit "google's" - I feel lucky .. I m sure I will hit your blog site with a resolution to the issue :-)

Xopher said...

I had to do this to enable a user (who has permissions to a list) to add an entry via SPList.Update()

using (SPSite s = new SPSite(WEBAPP))
{
using (SPWeb w = s.AllWebs[WEBNAME])
{
SPList l = w.Lists[LISTNAME];
SPListItem spi = l.Items.Add();
spi["_Comments"] = txtComment.Text;
spi["PageName"] = pageName;
spi.Update();
}
}
using (SPSite sAdm = new SPSite(WEBAPP, SPContext.Current.Site.SystemAccount.UserToken))
{
sAdm.AllowUnsafeUpdates = true;
using (SPWeb w = sAdm.AllWebs[WEBNAME])
{
w.AllowUnsafeUpdates = true;
SPList l = w.Lists[LISTNAME];
l.Update();
w.Update();
}
}

Rizwan Ansari said...

I was also facing the similar issue but the cause was different. I was using SPSecurity.RunWithElevatedPrivileges to do some administrative task. Then came to know that we need to add this line of code just before elevating the priviledges - SPUtility.ValidateFormDigest(). This solved my problem. I have posted this in my blog post http://sharepointtechie.blogspot.com/2011/02/solution-security-validation-for-this.html .