This thing is really show stopper, i've been thinking about event validation and is this really necessary. I am looking into ways to avoid event validation for building a webservice-javascript oriented page where dropdownlists are loaded based on webservice data. I could disable event validation for the page but i would like some insights(mostly how you think they might do it) as to how biggies like Google, Yahoo perform such validations. These organizations are hugely public based and use web services for almost all their services, rely heavily on ajax for making their things simpler.
How should i validate the post values in the case, event validation is disabled.
Event Validation ensures that any event that is triggered on the page would have been possible from the state of the page when loaded. e.g. If a Button fires a Click event, then it checks that the button existed in the original page's HTML output by using a hashing algorithm.
These hashes are stored in a hidden field on the page called __EVENTVALIDATION.
This is a fail-safe mechanism provided by ASP.NET Web Forms, and provided you code your application properly, in a state-less fashion, it is not necessary. For example, if your application allows only certain user's to delete an article it is best for your delete button event handler to check that the user still has permission to delete the article when it fires. Do not rely on the fact that the Button Click event was triggered to assume that the user had permission.
Apply this principal to all input into your application. Manually check values passed from drop down lists, radio buttons, check boxes, etc, are valid for the user session for the current page and state and don't rely on the ASP.NET event architecture to validate user input. When you are sure of this, you can safely turn event validation off.