How to correct: The security validation for this page is invalid (FormDigest)

How to correct the security error on a custom SharePoint web page:
The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.

Short Answer:

Use SPUtility.ValidateFormDigest() and do not use AllowUnsafeUpdates.

A Less Desirable Solution (but more commonly used)

One way to get around this issue is to set the web’s (SPWeb) AllowUnsafeUpdates property to true. This is not ideal, especially when there is a more secure option.

A Better Solution

This method configures the web page to properly cache and revalidate the necessary credentials preventing the “security validation” error noted above. And, there is no need to set the AllowUnsafeUpdate spweb property to true.
Coding Steps:
Register the SharePoint web controls assembly in your aspx. Place this at the top of the .aspx file:
<%@ Register TagPrefix="SharePoint"
Namespace="Microsoft.SharePoint.WebControls"
Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
Place the FormDigest control on the .aspx page (I place it near the end of the page):
<SharePointWebControls:formdigest id="FormDigest1" runat="server" />
In your page code-behind, call the ValidateFormDigest() method during the page OnInit() event to revalidate the page security. It is important to call the ValidateFormDigest method as early as possible in the page cycle.
using Microsoft.SharePoint.Utilities
protected override void OnInit(EventArgs&nbsp;e)
{
	if (Page.IsPostBack)
	{
		SPUtility.ValidateFormDigest();
		base.OnInit(e);
	}
}
That’s it. Your custom SharePoint page should now successfully pass the security validation. It is also important to remember that you will need to also add the FormDigest control and call the ValidateFormDigest method in any custom user controls that are performing updates to SharePoint data.

References:

Advertisements

SPSecurityTrimmedControl: Conditionally display contents by security

The SPSecurityTrimmedControl control will conditionally render the contents of this control to the current user only if the current user has access to the permission defined in the PermissionString.  The content can be any HTML code or control you like.  The PermissionString attribute defines the permission required to view the contents.  These Permissions are the same base values that are used in various combinations to the define the default Permission Levels that are created with each new site collection such as Design, Contribute, Read, etc…  You can also create your own custom Permission Levels for use in configuring your SharePoint security.  But remember, the PermissionString attribute can only be supplied valid Permission values, not Permission Levels.  There are 33 base SharePoint Permissions (Permission levels and permissions) of which any of these can be used.

This is a terrific control for use with your custom master pages and even with any custom SharePoint .ASPX pages you are hosting in SharePoint.

Attributes:

  • PermissionString: (required)
    Defines the permission values required to render the contents.
  • PermissionContext (optional):
    Enumeration Values:
    – PermissionContext.CurrentFolder
    – PermissionContext.CurrentItem
    – PermissionContext.CurrentList
    – PermissionContext.CurrentSite
    – PermissionContext.RootSite
  • PermissionMode (optional):
    Allows you to define whether All permissions are required or Any permission is required to render contents.
    Enumeration Values:
    – PermissionMode.All
    – PermissionMode.Any
Example:
<Sharepoint:SPSecurityTrimmedControl runat="server" PermissionsString="AddAndCustomizePages">
You can place any text or HTMl in this section. Only users having the AddAndCustomizePages permission will see this.
</SharePoint:SPSecurityTrimmedControl>
If you need to, you can even create your own Security Trimmer as shown here. 
http://msdn2.microsoft.com/en-us/library/aa981236.aspx

Another method worth noting is the RightsSensitiveVisibilityHelper.UserHasRights method. 
https://msdn2.microsoft.com/en-us/library/ms465624.aspx

References:

PermissionContext Enumeration (Microsoft.SharePoint.Utilities) 
http://msdn2.microsoft.com/en-us/library/microsoft.sharepoint.utilities.permissioncontext.aspx
SPBasePermissions Enumeration (Microsoft.SharePoint)
http://msdn2.microsoft.com/en-us/library/microsoft.sharepoint.spbasepermissions.aspx
PermissionMode Enumeration (Microsoft.SharePoint.Utilities)
http://msdn2.microsoft.com/en-us/library/microsoft.sharepoint.utilities.permissionmode.aspx
Permission Levels and Permissions 
http://office.microsoft.com/en-us/sharepointtechnology/HA101001491033.aspx 
SPSecurityTrimmedControl Class 
http://msdn2.microsoft.com/en-us/library/microsoft.sharepoint.webcontrols.spsecuritytrimmedcontrol.aspx 
DLC's SharePoint Platform Team Blog 
http://www.sharepointplatform.com/teamblog/Lists/Posts/Post.aspx?ID=31