Thursday 12 September 2013

The one where TMG Link Translation breaks Event Validation

I had a simple ASP.NET page with the following in the markup:
   <asp:DropDownList ID="ddl" runat="server"></asp:DropDownList>
   <asp:Button ID="btn" runat="server" OnClick="btn_Click" />


And something like this in the codebehind Page_Load:
   ddl.Items.Add("https://my.domain.com/");


When clicking the button to submit the form an error occurred which after some digging turned out to be:
Invalid postback or callback argument.  Event validation is enabled using <pages enableEventValidation="true"/> in configuration or <%@ Page EnableEventValidation="true" %> in a page.  For security purposes, this feature verifies that arguments to postback or callback events originate from the server control that originally rendered them.  If the data is valid and expected, use the ClientScriptManager.RegisterForEventValidation method in order to register the postback or callback data for validation.


After much head scratching I noticed that the value I was adding (https://my.domain.com) was not what was being displayed in the browser (https://MY.domain.com). Event validation for the page was throwing the error because the value I was submitting by clicking on the button was not the value that was put into the drop down list in the codebehind.


The problem was that Link Translation was enabled in Microsoft Forefront TMG. This automatically rewrites web content so that links with internal names are change to the defined public name before they are presented to the client. In this case the public name was set to https://MY.domain.com. Since the internal and public names are the same in this case, disabling Link Translation in TMG fixed the issue.

Although event validation protects against the user submitted altered data, it would still be a better idea to have them submit an ID and look up the corresponding URL when the form is submitted.