tags:

views:

153

answers:

1
+1  Q: 

Validation of Viewstate MAC failed

I've been getting a validation of viewstate error for a long time on my site that I have yet to be able to reproduce. Based on the user-agents and IP addresses, it seems to mostly be coming from spammers. I've put in multiple fixes (including disabling event and request validation, and moving viewstate hidden fields to top of form) thinking that the likely cause was a postback that was too quick, like most things I've found when searching suggest.

However, in the past few days I've noticed the same issue when I start up my browser that still has my development site open in a tab from the day before. It redirects me to the login page to login again. Usually I don't get to actually logging in and using it for about a half hour, but once I do, it then throws the validation of viewstate error. It almost seems like the viewstate expires or something.

Has anyone experienced a viewstate expiring or knows if it can expire and cause an issue like this? Or do you know what else could cause the viewstate error besides a web farm/machine key or a postback before the form has fully rendered?

Update: I just compared the value of the _VIEWSTATE hidden field between the page when I had a problem and the same page when it worked and the value was exactly the same.

+1  A: 

Viewstate can expire, if your application recycles and you have autogenerated machine keys turned on. The Viewstate MAC is calculated using the machine key to stop tampering. If the machine key changes then it becomes invalid. As you're talking about a dev machine from the day before it's likely this is what's happening.

I do hope you haven't left event and request validation disabled. If you have ... what's your web site address?

blowdart  2009-12-15 15:13:32
It's only turned off on one page that was giving me problems. I'll need to turn it back on now. Do you know if there's any way I can test whether it's expired the prevent this error from coming? I'm getting multiple errors each day.
jwynveen  2009-12-15 15:17:47
By the way, I'm actually not using autogenerated machine keys. I have a decryption and validation key set in the web.config. Does that make any difference?
jwynveen  2009-12-15 15:22:31
Oh, if you're using a fixed machine key then that is weird, unless you're manually adding a viewstateuserkey that is equal to something stored in session.
blowdart  2009-12-15 15:39:59
And there's no way to tell why its invalid I'm afraid, it just doesn't get that granular.
blowdart  2009-12-15 15:40:45

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps