Asp.net-mvc – ASP.NET MVC Validation of ViewState MAC failed

asp.net-mvc

After publishing a new build of my ASP.NET MVC web application, I often see this exception thrown when browsing to the site:

System.Web.Mvc.HttpAntiForgeryException: A required anti-forgery token was not supplied or was invalid. —> System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. —> System.Web.UI.ViewStateException: Invalid viewstate.

This exception will continue to occur on each page I visit in my web application until I close out of Firefox. After reopening Firefox, the site works perfectly. Any idea what's going on?

Additional notes:

I am not using any ASP.NET web controls (there are no instances of runat="server" in my application)
If I take out the <%= Html.AntiForgeryToken %> from my pages, this problem seems to go away

Best Answer

Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config (see here), one is automatically generated for you by ASP.NET (full description).

If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error.

So you should always specify a machinekey in your web.config when using MVC, e.g.

<configuration>
    <system.web>
        <machineKey  
            validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
            decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
            validation="SHA1"
            decryption="AES"
        />
    ...

Related Solutions

Asp.net-mvc – Postback not working with ASP.NET Routing (Validation of viewstate MAC failed)

I worked around this by having my view user control inherit from this class instead of ViewUserControl<T> (it's kind of a patch for RenderView). It did the trick for me, hopefully it works for you too.

public class ViewUserControlWithoutViewState<T> : ViewUserControl<T> where T : class {
    protected override void LoadViewState(object savedState) {}

    protected override object SaveControlState() {
        return null;
    }

    protected override void LoadControlState(object savedState) {}

    protected override object SaveViewState() {
        return null;
    }

    /// <summary>
    /// extracted from System.Web.Mvc.ViewUserControl
    /// </summary>
    /// <param name="viewContext"></param>
    public override void RenderView(ViewContext viewContext) {
        viewContext.HttpContext.Response.Cache.SetExpires(DateTime.Now);
        var containerPage = new ViewUserControlContainerPage(this);
        ID = Guid.NewGuid().ToString();
        RenderViewAndRestoreContentType(containerPage, viewContext);
    }

    /// <summary>
    /// extracted from System.Web.Mvc.ViewUserControl
    /// </summary>
    /// <param name="containerPage"></param>
    /// <param name="viewContext"></param>
    public static void RenderViewAndRestoreContentType(ViewPage containerPage, ViewContext viewContext) {
        string contentType = viewContext.HttpContext.Response.ContentType;
        containerPage.RenderView(viewContext);
        viewContext.HttpContext.Response.ContentType = contentType;
    }

    /// <summary>
    /// Extracted from System.Web.Mvc.ViewUserControl+ViewUserControlContainerPage
    /// </summary>
    private sealed class ViewUserControlContainerPage : ViewPage {
        // Methods
        public ViewUserControlContainerPage(ViewUserControl userControl) {
            Controls.Add(userControl);
            EnableViewState = false;
        }

        protected override object LoadPageStateFromPersistenceMedium() {
            return null;
        }

        protected override void SavePageStateToPersistenceMedium(object state) {}
    }
}

I blogged about this some time ago.

R – ASP.NET MVC (Form login): Validation of viewstate MAC failed

Create a new MVC Webapplication and take a look at how FormsAuthentication is done there. You can't use the Login Controls.

Best Answer

Related Solutions

Asp.net-mvc – Postback not working with ASP.NET Routing (Validation of viewstate MAC failed)

R – ASP.NET MVC (Form login): Validation of viewstate MAC failed

Related Topic