Interview Questions administrator

Best SharePoint administrator Interview Questions and Answers with topic wise:

Recycle Bin | MMS | ManagedVsCrawledProperties |

Sunday, March 4, 2012

where/When/Why FormDigest Control: SharePoint

FormDigest Control:
Every SharePoint developer should know about the “FormDigest” control. Especially who are developing master pages, site pages and application pages?

I am going to cover in which areas FormDigest control use:
  1. What is FormDigest Control?
  2. Why every master page should have “FormDigest” control and what is the need?
  3. The security validation for this page is invalid?
  4. When/where/why use "AllowUnsafeUpdates" in SharePoint?
  5. How to do manipulation to the SharePoint data programmatically?

What is FormDigest control?

A FormDigest control has to be included to create a digest for security validations when performing some modifications to SharePoint data. It adds a security token inside your page based on user, site and time. Once the page is posted back the security token is validated. Once the security token is generated it’s valid for a configurable amount of time. 
For reasons of security, by default, Microsoft SharePoint Foundation does not allow you to make posts from a Web application to modify the contents of the database unless you include security validation on the page making the request.  You can update data for a single site or for a site collection by adding a page directive and a FormDigest control to the page that makes the request.

Note: Main reason why “FormDigest” control introduced is to prevent sites from cross-site scripting attacks and to do validations.

By default, default.master [v4.master in SharePoint 2010] has a “FormDigest” control. Need of it is to prevent pages from the cross-site scripting attacks. 

To get the content from the content DB, we need to set the AllowUnsafeUpdates = true. 
To set the content to the content DB, not required to set the AllowUnsafeUpdates = true. why means because of "FormDigest" control placed in every master page.

Why every master page should have “FormDigest” control and what is the need?

I guess everyone already knows about what is master page, why we can use it and what is the need of it right? Fine. I have developed some pages and through all my pages I am doing modifications to the SharePoint data [means content DB]. But it’s not the good practice to do manipulations directly on content DB without validating our content is safe or not? If you still try to do manipulations without validating your data, you may get the “The security validation for this page is invalid” exception. 

Let’s come back to our topic; so, what will we do and how we can check our updating data is valid or not? Don’t worry; SharePoint has already given up the solution on it. The solution is “FormDigest” control.  The “FormDigest” control will do all these validations. In the above I already explain what “FormDigest” control is. Read it again, now you can get it clearly. 

To do manipulations on content DB directly with security validation we have to put the “FormDigest” control in all the pages. Here again we have to think is this appropriate to add “FormDigest” control in each page? So, Instead of placing the “FormDigest” control in each page, it’s better to place that control in master. The SharePoint team thought about it too smart right? That’s why they already added “FormDigest” control in all master pages in SharePoint?

But, some situation we should do manipulations to the SharePoint data even the data is not safe. So, how can we do manipulations and how we can avoid from above exception? Don’t worry here also SharePoint thought about very smart; the solution is “AllowUnsafeUpdate”.  

Best technical word to say about "FormDigest" Control is:

To make posts from a Web application that modify the contents of the database, you must include the FormDigest control in the form making the post.

The key piece of information I found in here was the following line: "The security validation is specific to a user, site, and time period and expires after a configurable amount of time."

As per msdn articleAllowUnsafeUpdates” is set to true when you are trying to update the database as a result of the GET request”. Refer to know more what/why/where on “AllowUnsafeUpdate”.


  1. Thanks. I'm trying to do this when also using a SPSecurity.RunWithElevatedPrivileges(delegate() ...
    contructor, and things are getting very complicated!

  2. nice article.Gives a crisp brief about form digest.