I have a shopping cart page (Cart.aspx) that has a button that will (sometimes) post to a third party payment gateway, if payment is necessary. The payment gateway will process the payment and then do a silent post to my website (Order.aspx) so I can update the order status.
Order.aspx always throws an invalid viewstate error, even though viewstate is disabled on the page.
What's happening is that Cart.aspx (which has viewstate enabled) posts to the payment gateway, and the gateway will post it back as part of the silent post. Even though Order.aspx has viewstate disabled and validation disabled, it still tries to validate the __viewstate field it's being given.
I know setting EnableViewState=false
will disable the rendering of the __viewstate field, but if another page provides the field, shouldn't it still skip validation?
I tried calling ViewState.Clear()
on the Page_Init
event of Orde开发者_StackOverflow中文版r.aspx, but ViewState is apparently empty.
Any suggestions on how to get around this? I don't want to disable ViewState on Cart.aspx (in some cases it may be necessary), but I can't figure out how to clear it on Order.aspx.
Even when you disable the ViewState, ASP.NET still needs it. It uses the hidden __viewstate field for the view state, control state and it uses to validate the request. You can create a custom HttpHandler
and let the order post to that page. Of course you need to be cautious about the validity of the request. Make sure you can make sure the request is legitimate and not from a hacker.
精彩评论