invalid viewstate error - OnPreRender

Question

I'm getting 100+ errors per day on my website with System.Web.HttpException: Invalid viewstate.

The website is asp.net 3.5 running on iis6 , not running in a web-garden/web-farm , single server.

Here are a few sample errors.

Machine: ML Framework Version: 2.0.50727.3603 Assembly Version: 6.5.3664.33889 
Source: http://www.domain.com/WebResource.axd?d=z5VmXXoSLLpQHoPictureAlert 
Exception: System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context) 
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() 
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 

Machine: MLFramework Version: 2.0.50727.3603 Assembly Version: 6.5.3664.33889 
Source: http://www.mydomain.com/ScriptResource.axd?d=SE0Ej7OlEAx91j2Cjv_6KkRPplqT-5wB4M7CZPdGdGn3LahLwqlRPApUcdxBsbFXYHZ91Q76FHAHWgHs8SmOC4zemr7
siym0QY0rF3XtJTu%3C/a%3E%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%3Ca%20id= 
Exception: System.Web.HttpException: Invalid viewstate. at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType) at 
System.Web.UI.Page.DecryptString(String s) at System.Web.Handlers.ScriptResourceHandler.DecryptParameter(NameValueCollection queryString) at 
System.Web.Handlers.ScriptResourceHandler.ProcessRequestInternal(HttpResponse response, NameValueCollection queryString, 
VirtualFileReader fileReader) at System.Web.Handlers.ScriptResourceHandler.ProcessRequest(HttpContext context) at 
System.Web.Handlers.ScriptResourceHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext context) at 
System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at 
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) 

1. i already tried wraping all inline javascript with //<![CDATA[ //]]>
2. i already set enableViewStateMac to false.

From looking at all the errors guessing out of the "d" paramter it seems to focus on a single usercontrol on my website. in this control i change the visiblity of div's + text in the usercontrol OnPreRender function.

protected override void OnPreRender(EventArgs e)
        {
            base.OnPreRender(e);
            PreparePage();
        }

Can the errors be related to the usercontrol behavioral?

thanks!

Answer 1

If your site is running in a web farm this might be related to having different machine keys. For example if one server is used to encode the viewstate then another server won't be able to decode it if it does not have the same machine key. Checkout this article. Even if you don't have multiple servers try specifying fixed machine keys.

Answer 2

The invalid ViewState exception is generally from ASP.NET's built in event validation. Turning off EnableViewStateMac simply stops the MAC-based encryption, not the viewstate validation. To do that you need to set EnableEventValidation="false" in the Page directive.

As to why it's happening... three possible reasons:

1) You are modifying the contents of a control on the client side (such as DropDownList items).

2) The page is being posted back before the ViewState validation field is being rendered.

3) Your site is the target of a malicious script searching for vulnerabilities... in which case, EventValidation is doing its job.

I'd say #1 is most likely... bu #2 is also very common, especially when you're seeing this error inconsistently.