Best IT Recipes

ASP.NET MVC ViewState MAC Address Error

After publishing a new build of my ASP.NET MVC web application, I often see this exception that is thrown when viewed on a site:

System.Web.Mvc.HttpAntiForgeryException: The required anti-fake token was not specified or was invalid. ---> System.Web.HttpException: Failed to validate viewstate MAC address. If this application is hosted by a web farm or cluster, make sure the configuration validationKey and validation are specified in the configuration. AutoGenerate cannot be used in a cluster. ---> System.Web.UI.ViewStateException: Invalid view state.

This exception will continue on every page I visit in my web application until I close Firefox. After reopening Firefox, the site works fine. Any idea what is going on?

Additional notes:

  • I do not use any ASP.NET web controls (there are no runat = "server" instances in my application)
  • If I pulled out <% = Html.AntiForgeryToken%> from my pages, this problem seems to go away.
+19
asp.net-mvc
Sep 01 '09 at 0:46
source share
3 answers

Under the covers, the MVC AntiForgeryToken attribute uses the machine key for encryption. If you do not specify a machine key in the web.config file (see here ), it is automatically created for you by ASP.NET ( full description ).

If the ASP.NET application restarts (for example, iisreset), the AntiForgeryToken in the browser cookie will still be encrypted using the old machine key, so it crashes with the above error.

Therefore, you should always specify the machine key in your web.config when using MVC, for example

<configuration> <system.web> <machineKey validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B" decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F" validation="SHA1" decryption="AES" /> ...
+32
Oct 16 '09 at 10:07
source share

If you are on a server farm, make sure that your machine key on each server is the same.

+1
Sep 01 '09 at 1:40
source share

I had this problem too, and expecting users to clear their cache, cookies or refresh the page is unacceptable.

Adding a machine key to web.config will be fixed. I used this tool to quickly create a key, so I do not see these errors in the development, and then I create it correctly when the site goes into production.

http://aspnetresources.com/tools/machineKey

0
May 24 '11 at 9:09 a.m.
source share


More articles:


All Articles