post form data to another page without __VIEWSTATE variable in query string

2
votes

Currently I am working on Payment gateway integration with my ASP.NET application, in which I have to post few form variables to Payment Gateway page using GET method. When I do it using simple HTML page using form controls to hold the values and post it to external payment gateway page then everything is working fine.

When I am trying to do it from inside of my ASP.NET c# application, I am getting error "Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.". On checking the Query string which is getting posted to external payment gateway page from my asp.net c# page there is an additional __VIEWSTATE variable appended to my desired query string which holds the variable values I want to post to the payment gateway page.

I have made EnableViewState="false" EnableEventValidation="false" EnableViewStateMac="false" to <%Page%> directives in ASPX page and added "this.EnableViewState = false" in overridden onLoad method in code behind.

For your reference adding the code snippets below:

ASPX page 

<body>
    <%--<form id="pgform" name="pgform" action="http://xxx.xx.xx.xx:xxxx/_layouts/Portal/EWallet_BillDesk_Dummy.aspx" method="post" runat="server">  --%>
    <form id="pgform" name="pgform" action="http://xxx.xxx.xx.xx:xxxx/PaymentGateway.aspx"
    method="get" target="_blank" runat="server">
    <asp:HiddenField ID="mid" runat="server"></asp:HiddenField>
    <asp:HiddenField ID="mtrxid" runat="server"></asp:HiddenField>
    <asp:HiddenField ID="mitem" runat="server"></asp:HiddenField>
    <asp:HiddenField ID="amount" runat="server"></asp:HiddenField>
    <script type="text/javascript">
        document.pgform.submit();
        //alert("connector fired");
    </script>
    </form>
</body>

code behind

    protected override void OnLoad(EventArgs e)
        {
            this.EnableViewState = false;
            base.OnLoad(e);
        }
                protected void Page_Load(object sender, EventArgs e)
        {
                byte[] EncrKeyStream = Encoding.UTF8.GetBytes("nlxcK}~MWgf1WxrT");
                if (Request.QueryString["c"] != null)
                {
                    string qry = ConvertHexToString(Request.QueryString["c"]);
                    string strApplicationNo = qry.Split('|')[0];
                    string strTxnAmount = "1";//qry.Split('|')[1];
                    string mtrxId = "ABCMI" + strApplicationNo;
                    string mItem = "MOTOR INSURANCE";
                    string encmtrxId = EncryptDecrypt.Encrypt(mtrxId, EncrKeyStream);
                    string encmItem = EncryptDecrypt.Encrypt(mItem, EncrKeyStream);
                    string encAmount = EncryptDecrypt.Encrypt(strTxnAmount, EncrKeyStream); ;


                    mid.Value = "ABC_DEV";
                    mtrxid.Value = encmtrxId;
                    mitem.Value = encmItem;
                    amount.Value = encAmount;

                }
}

Please help me in this regard. I really need this solution now it's been quite few hours & I am unable to find one solution. Requesting your help.

Thanks in advance.

1
c#asp.net
+1 but hide ip and change your profile photo :D - alessandro

1 Answers

1
votes

Don't use <form runat="server" /> or server-side controls. Use a standard <form> and normal <input> fields (all without runat="server") instead. That way ASP.NET won't generate view state or other hidden fields on your behalf, and you can submit the form cross-host.

I also caution you to have a security expert audit your code and your use of cryptography.