validation of viewstate MAC failed

[russell.lane]

I'm getting the much-hated "validation of viewstate MAC failed" error. This
is on an ASP.Net 2.0 app running in IIS with IE 6+ as the browser.

The full error text is:
Validation of viewstate MAC failed. If this application is hosted by a Web
Farm or cluster, ensure that <machineKey> configuration specifies the same
validationKey and validation algorithm. AutoGenerate cannot be used in a
cluster.

The app *is not* running in a cluster or web farm.

I put the following line in the web.config files for the relevant apps:

<pages validateRequest="false" enableEventValidation="false"
viewStateEncryptionMode ="Never" />

This helped, but did not completely solve, the problem. What I see now is
that, even with this fix in place, if a user leaves a browser session idle
for a while (more than 20 minutes?) the viewstate error will return.

Is this error related to something that is timing out (session lifetime,
security credential, etc)? What should I look for next?

This bug is very annoying to our end users.

Thanks!

Russell Lane

 

[bruce barker \(sqlwork.com\)]

if you want the viewstate encrytion key to survive appdomain recycles, set
the validation key in the config.

-- bruce (sqlwork.com)

 

[russell.lane]

Bruce -

Many thanks for the reply. Can you expand on this a bit?

What are appdomain recycles? What prompts them?
How do I set the validation key in the config?

Thanks -

 

[Steven Cheng[MSFT]]

Hello Russell,

Yes, I think Bruce's explanation and suggestion is reasonable.

The reason you'll get such error when you postback a page that has been
idle at client for a long period is as below:

ASP.NET will




#How To: Configure MachineKey in ASP.NET 2.0

 

[Steven Cheng[MSFT]]

Sorry for the previous corrupted reply.
======================================

Hello Russell,

Yes, I think Bruce's explanation and suggestion is reasonable.

The reason you'll get such error when you postback a page that has been
idle at client for a long period is as below:

ASP.NET web page use ViewState to store some persisted states and info of
webcontrols on the page. And this is stored in a <input name="__VIEWSTATE"
..../> html hidden element. And since this data is sensitive, ASP.NET by
default enable the ViewStateMac for every page. This ViewStateMAC is like a
simple digest&signatuer of the ViewState append in the Viewstate and
whenever postback, the ASP.NET runtime will verify the viewstate(with the
digest signature) to see whether it is tampered or not.

The digest&signature of Viewstate is generated based on a validationkey,
this key is bydefault autogenerated and will vary between different
applications or before and after application restart. Therefore, when the
user request a page and let it idle at client-side for a long period, if
the web application at server-side has restart(appdomain recycle or process
recycle), the validationkey(used to generate viewstate MAC) will be
changed, thus, if you postback with the old viewstate & MAC, the
server-side runtime will fail to verify it and report ViewState validation
error. You will also encounter such problem when you visit a page from
google's cache image(with invalid viewsate content it it).

Bruce's suggestion is that you can manually specify the validation key in
the machine.config or application's web.config so that the ASP.NET runtime
will always use the fixed key to generate the ViewState MAC(no matter the
application has restarted or not). And in webfarm environment you can event
make different applications on different server use the same key.

Here is a good article detailedly describe how to generate a custom Key and
specify it in the web.config file:


#How To: Configure MachineKey in ASP.NET 2.0
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000007.asp?frame=tr
ue


Hope this help clarify some. If you have anything unclear, please feel free
to post here.

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead



==================================================

Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications.



Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.

==================================================



This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Steven Cheng[MSFT]]

Hello Russell,

Have you got any further ideas on this issue or does the information in my
last reply helps some?

Please feel free to post here if there is anything else we can help

Sincerely,

Steven Cheng

Microsoft MSDN Online Support Lead


This posting is provided "AS IS" with no warranties, and confers no rights.