SharePoint: The security validation for this page is invalid

Happy new year to you all.  I am starting off 2010 with an article I have been meaning to write for ages, it addresses an error that has come up several times whilst I have been developing solutions that operate outside of the parameters of a standard SharePoint customisation. Quite often when developing this type of solution I have come across this error message:

The security validation for this page is invalid 

Its not the greatest error message in the world as its meaning is ambiguous and that is never good with error messages.  For one thing you might not actually be developing a page. You will come across this same error when using the code in a console application or in a web service.  In fact you are more likely to come across it in those scenarios given that the absence of the digest controls which SharePoint implements is usually the root cause of the issue.

Some classes and methods which you may call in a bit of custom code require that SharePoint performs a security validation to ensure that the call is coming from a legitimate SharePoint source.  There are two different kinds of validation depending upon the type of action being taken and therefore two different solutions to this issue.

Updating a site or site collection using the SPWeb and SPSite classes.

You may be using code to similar to this when seeing this issue:

Using site As New SPSite(URL)
    Dim list As SPList = GetList(“listname”)
    Dim listItem As SPListItem = list.Items.Add()
    listItem(“Title”) = “Test Item”
End Using

This code could fail with the above error for two reasons.  Firstly you are using a function to retrieve the SPList object and this could well be the cause.  The solution here is to put the code to get the required SPList object within the same Using statement.

The second problem is that you have not prepared for a potentially ‘unsafe’ operation.  This can be resolved by setting the AllowUnsafeUpdates property on your SPSite and SPWeb objects.

A better code sample for this operation would be:

Using site As New SPSite(URL)
    site.AllowUnsafeUpdates = True
    Using web As SPWeb = site.OpenWeb
        web.AllowUnsafeUpdates = True
        Dim list As SPList = web.Lists(“listname”)
        Dim listItem As SPListItem = list.Items.Add()
        listItem(“Title”) = “Test Item”
    End Using
End Using

This is a much safer and more secure method of performing the same operation, but this method should not cause the security validation error.

Site collection administration operations

Code which uses classes and methods from the Microsoft.SharePoint.Administration namespace can often fall foul of this security validation error.  Especially code which creates or deletes site collections as these methods tend to require a more global form digest  to be present on the requesting page.

You can however disable the requirement for this security validation at the web application level in order to allow code executing in a different scenario to complete successfully.

The following code example disables the form digest requirement prior to creating a new site collection, but then restores it to its previous state once the process is complete.  It is important to restore the original setting as we will not know what it was set to prior to this code running.

Dim webapp As SPWebApplication = SPWebApplication.Lookup(New Uri(URL))

‘Save the current settings
Dim CurrentFormDigestSettings As Boolean = webapp.FormDigestSettings.Enabled

‘disable the form digest validation
webapp.FormDigestSettings.Enabled = False

‘create the new site collection
Dim spSites As SPSiteCollection = webapp.Sites
webapp.Sites.Add(FullURL, Name, Description, nLCID, Nothing, OwnerLogin, OwnerName, OwnerEmail)

‘restore the original setting 
webapp.FormDigestSettings.Enabled = CurrentFormDigestSettings

Disabling the FormDigestSettings.Enabled property should allow this code to execute safely out side of the ‘expected’ method that SharePoint defaults to.

What not to do!

There are various articles out on the internet detailing methods to resolve this error and some of them make reference to switching off security validation for the entire web application.  This can be done by changing the settings found at Central Administration > Application Management > Web Application General Settings.

This is not an approach that I would recommend.  You are compromising the security of an entire web application in order to allow a piece of custom code to function and that way bad things live.  Much better to take some time, review your code and ensure that you are writing appropriate code for your problem.

Hopefully this has helped you resolve the issue, or helped you to avoid ever running into it in the first place.