Validation of viewstate MAC failed

1
votes

Running the ASP.NET webforms run the application works fine. When the application is idle for 4 to 5 minutes, it is giving this error:

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

How can this be solved?

4
c#asp.net
Vote to close, exact duplicate of CryptographicException: Padding is invalid and cannot be removed and Validation of viewstate MAC failed - Chris Marisic
Sadly this is both a bug and a feature of ASP.NET. - Chris Marisic
i have added both page settings as false and machine key. same machine key in both application. still it shows same error - Razack

4 Answers

0
votes

Modify your web.config with this element:

<pages validateRequest="false" 
       enableEventValidation="false" 
       viewStateEncryptionMode ="Never" />

Any more info required, refer to the ASP.NET Forums topic

2
votes

This free online tool: http://aspnetresources.com/tools/machineKey generates a machineKey element under the system.web element in the web.config file. Here is an example of what it generates:

<machineKey validationKey="1619AB2FDEE6B943AD5D31DD68B7EBDAB32682A5891481D9403A6A55C4F91A340131CB4F4AD26A686DF5911A6C05CAC89307663656B62BE304EA66605156E9B5" decryptionKey="C9D165260E6A697B2993D45E05BD64386445DE01031B790A60F229F6A2656ECF" validation="SHA1" decryption="AES" />

Once you see this in your web.config, the error itself suddenly makes sense. The error you are getting says

"ensure that configuration specifies the same validationKey and validation algorithm".

When you look at this machineKey element, suddenly you can see what it is talking about.

Modifying the pages element under the system.web element may not be necessary with this in place. This avoids the security problems associated with those attributes.

By "hard coding" this value in your web.config, the key that asp.net uses to serialize and deserialize your viewstate stays the same, no matter which server in a server farm picks it up. Your encryption becomes "portable", thus your viewstate becomes "portable".

I'm just guessing also that maybe the very same server (not in a farm) has this problem if for any reason it "forgets" the key it had, due to a reset on any level that wipes it out. That is perhaps why you see this error after an idle period and you try to use a "stale" page.

0
votes

This isn't your problem but it might help someone else. Make sure you are posting back to the same page. Check the action on your form tag and look at the URL your browser is requesting using Firefox Live HTTP Headers.

I ran into this because I was posting back to a page with the same name but a different path.