views:

153

answers:

1

I've been getting a validation of viewstate error for a long time on my site that I have yet to be able to reproduce. Based on the user-agents and IP addresses, it seems to mostly be coming from spammers. I've put in multiple fixes (including disabling event and request validation, and moving viewstate hidden fields to top of form) thinking that the likely cause was a postback that was too quick, like most things I've found when searching suggest.

However, in the past few days I've noticed the same issue when I start up my browser that still has my development site open in a tab from the day before. It redirects me to the login page to login again. Usually I don't get to actually logging in and using it for about a half hour, but once I do, it then throws the validation of viewstate error. It almost seems like the viewstate expires or something.

Has anyone experienced a viewstate expiring or knows if it can expire and cause an issue like this? Or do you know what else could cause the viewstate error besides a web farm/machine key or a postback before the form has fully rendered?

Update: I just compared the value of the _VIEWSTATE hidden field between the page when I had a problem and the same page when it worked and the value was exactly the same.

+1  A: 

Viewstate can expire, if your application recycles and you have autogenerated machine keys turned on. The Viewstate MAC is calculated using the machine key to stop tampering. If the machine key changes then it becomes invalid. As you're talking about a dev machine from the day before it's likely this is what's happening.

I do hope you haven't left event and request validation disabled. If you have ... what's your web site address?

blowdart
It's only turned off on one page that was giving me problems. I'll need to turn it back on now. Do you know if there's any way I can test whether it's expired the prevent this error from coming? I'm getting multiple errors each day.
jwynveen
By the way, I'm actually not using autogenerated machine keys. I have a decryption and validation key set in the web.config. Does that make any difference?
jwynveen
Oh, if you're using a fixed machine key then that is weird, unless you're manually adding a viewstateuserkey that is equal to something stored in session.
blowdart
And there's no way to tell why its invalid I'm afraid, it just doesn't get that granular.
blowdart