You may come across this error message when you get around in pages of your ASP.NET website:
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Background
ASP.NET uses view-state variable to rebuild pages after post-backs. The text of your buttons and the value of the form fields are the examples that this variable stores.
In order to prevent tempering attacks that try to play around with view-state data to force your webpage behave unexpectedly, web server validates the view-state data between page redirections. If the data doesn’t match, you receive the error message above.
Solution
This Microsoft article summarizes the possible causes and solutions. Based on my experience, creating a new machine key and adding it to the web.config file is the most preferred solution (Example).
Steps in high-level:
- Open IIS Manager. Go to “Machine Key” module
- Unselect all options and click “Generate Keys”
- Copy both validation and decryption keys into notepad
- Click “Apply”
- Add the line below to your web.config file
- Deploy your application and test
<configuration>
<system.web>
<machineKey decryptionKey="xx"
validationKey="xx" />
</system.web>
</configuration>
The issue of unmatched view-state data could be related to server configuration or session cookie as well. Here are the most common root causes:
- Web server and application pool configuration related issues. Read details in this Microsoft Support article
- If you are using
ViewStateUserKey
to prevent Cross-site Request Forgery (CSRF) attacks, make sure the value you assign to this variable is the same in all pages. The most common usage is that assigning session ID or username toViewStateUserKey
. Your website might be losing the session between page redirections. Check these two StackOverflow topics for details: Link 1, link 2 - Redirecting the page right after setting session variables may be the issue. You should avoid using
Response.Redirect
in this case. Details - Antivirus software might be causing the issue. Add scanning exceptions for IIS and your application’s folders. Details
If nothing works, you may try overriding SavePageStateToPersistenceMedium method to implement a way for keeping the same view state value across the requests.
1 thought on “Solved: “Validation of viewstate MAC failed””