November 17, 2011

SharePoint: “Security validation for this page is invalid” when adding subsite programmatically

Problem:

I created a Web Part that is used for creating subsites. In Web Part properties you could type in the name of the Web Template you had uploaded to solution gallery, in addition to other properties. Web Part uses RunWithElevatedPrivileges.

For the first Web Template that was used everything worked fine and subsites could be created just fine. However, the slightly modifying the Web Template lead to the dreaded security validation error:

Exception attempting to ApplyWebTemplate to SPWeb https://URLOFTHENEWWEB: Microsoft.SharePoint.SPException: The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again. ---> System.Runtime.InteropServices.COMException (0x8102006D)

Thoughts:

There wasn’t really much difference between the Web Template that was working and the one that couldn’t be used in my web part when creating subsites.

In fact, what was done in this slightly modified version of the Web Templates was to add an instance of a Document Library template that contained few custom Content Types.

What makes it interesting was that one could create new subsite using that template, if one would use normal SharePoint browser functionality for subsite creation.

As it happens every now and then, I couldn’t reproduce this issue on my development virtual server – even when using the same Web Template.

worksonmymachine

Solution:

Although it is not exactly clear why having Document Library template on a web template would break subsite creation, there is a real solution.

What had forgotten was to call SPUtility.ValidateFormDigest() before attempting to add the subsite.

Also MSDN instructs that “Either SPUtility.ValidateFormDigest or SPWeb.ValidateFormDigest should be called before a call of RunWithElevatedPrivileges, if the method passed to the RunWithElevatedPrivileges includes any write operations.”

Reason for running the validation is to prevent cross-site-scripting exploits.

   1:  SPUtility.ValidateFormDigest(); // <<<<< REMEMBER THIS!
   2:  // ...
   3:  // Create site
   4:  using (SPWeb newWeb = parentWeb.Webs.Add(
   5:        projectUrl,
   6:        projectName,
   7:        "",
   8:        Convert.ToUInt32(locale),
   9:        siteTemplate,
  10:        true, // True breaks inheritance
  11:        false))
 



Thanks to Arttu Arstila for helping me with this.

1 comment:

  1. Because of FormDIgest control we got this issue. Refer it know why and how to handle it?
    http://sasikumarreddyv.blogspot.in/2012/03/wherewhenwhy-formdigest-control.html

    ReplyDelete