The MAC is validated on a per request basis unless you turn it off. I don't immediately see why a session ending could cause this error, but I'm not going to say it's absolutely impossible - you can check this for yourself by following the stack track and using Reflector.
This would be more likely to happen if multiple physical machines serve different requests in the same session, as opposed to a session expiring.
I got this error before and I was able to fix it by creating a static read only machine key. That way the key would never change after the first time it was set, so it would always validate. In my particular circumstance MAC validation was unimportant to me, but depending on your security concerns, you may want to further research the implications of this approach.
