I've been getting a validation of viewstate error for a long time on my site that I have yet to be able to reproduce. Based on the user-agents and IP addresses, it seems to mostly be coming from spammers. I've put in multiple fixes (including disabling event and request validation, and moving viewstate hidden fields to top of form) thinking that the likely cause was a postback that was too quick, like most things I've found when searching suggest.
However, in the past few days I've noticed the same issue when I start up my browser that still has my development site open in a tab from the day before. It redirects me to the login page to login again. Usually I don't get to actually logging in and using it for about a half hour, but once I do, it then throws the validation of viewstate error. It almost seems like the viewstate expires or something.
Has anyone experienced a viewstate expiring or knows if it can expire and cause an issue like this? Or do you know what else could cause the viewstate error besides a web farm/machine key or a postback before the form has fully rendered?
Update: I just compared the value of the _VIEWSTATE hidden field between the page when I had a problem and the same page when it worked and the value was exactly the same.