MAC Viewstate Error When Clicking on a Submit Button

We are building a website using .NET Framework 2.0 running in integrated mode on a single 64bit Windows 2008 Server machine.

In our website on the login form it is possible to post it twice by pressing Enter and clicking on the login Submit button.

Before we fixed this issue ASP.NET returned the following error when the form was posted twice.

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Stack Trace:
[HttpException (0x80004005): Unable to validate data.]
System.Web.Configuration.MachineKeySection.GetDecodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Int32& dataLength) +10986325
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +295
[ViewStateException: Invalid viewstate.
Client IP: xxx.xxx.xxx.xxx
Port: 60414
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; .NET4.0C; .NET4.0E)
ViewState: /wEPDwUJNDIzNjI5OTU0D2QWAmYPZBYEZg9kFgICAQ8WAh4QQXV0b21hdGVkVmlzaWJsZWdkAgEQZGQWBAIFD2QWCAIBD2QWAmYPZBYCAgEPFgIfAGcWAmYPZBYCAgIPFgQfAGgeB1Zpc2libGVoFgICAg8WAh8BaGQCAg9kFgJmD2QWBgICDxYEHwBoHwFoFgICAQ9kFgQCAQ9kFgICAQ8WAh8BaGQCAg8WAh8AZ2QCBA9kFgQCAQ9kFgICAQ8WAh8AZxYCAgEPZBYCAgEPZBYMAgEPFgIfAGdkAgMPD2QWAh4Jb25rZXlkb3duBXpyZXR1cm4gS2V5RG93bkhhbmRsZXJjdGwwMF9mcmFnbWVudF82NWU4OWNjOF85NmM2XzRmZTFfYTE0M180OGNhNTA2NWYxOGFfY3RsMDFfY3RsMDJfY3RsMDVfY3RsMDBfY3RsMDlfbG9naW5CdXR0b24oZXZlbnQpO2QCBQ8WAh8AZ2QCBw8PZBYCHwIFenJldHVybiBLZXlEb3duSGFuZGxlcmN0bDAwX2ZyYWdtZW50XzY1ZTg5Y2M4Xzk2YzZfNGZlMV9hMTQzXzQ4Y2E1MDY1ZjE4YV9jdGwwMV9jdGwwMl9jdGwwNV9jdGwwMF9jdGwwOV9sb2dpbkJ1dHRvbihldmVudCk7ZAIJDxYCHwBnZAILDxAPFgIeB0NoZWNrZWRnZGRkZAICDxYCHwFoZAIGDxYCHwBnZAIDD2QW...]
[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +148
System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +10959605
System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState) +59
System.Web.UI.HiddenFieldPageStatePersister.Load() +10959704
System.Web.UI.Page.LoadPageStateFromPersistenceMedium() +11043464
System.Web.UI.Page.LoadAllState() +46
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +11038983
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +11038522
System.Web.UI.Page.ProcessRequest() +91
System.Web.UI.Page.ProcessRequest(HttpContext context) +240
ASP.svs_pages_homepage_aspx.ProcessRequest(HttpContext context) +9
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +599
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171

This was resolved by adding the following attribute to the <pages> tag in the web.config:

enableViewStateMac="false"

If enableViewStateMac is set to true then the viewstate data is checked when it is received by the web server to see if it has been tampered with. It seems that when doing the double-post, by clicking on the submit button and pressing enter, the viewstate data is altered in such a way that the viewstate check fails.

There are security implications in setting enableViewStateMac to false. Indeed, Microsoft recommends that “this attribute should never be set to false in a production Web site”. More information on enableViewState can be found here.

In this particular scenario, it is better to ensure that the form cannot be posted twice, maybe by disabling the ability to submit the form by pressing enter on the client, rather than setting enableViewState to be false.

@MobeenAnwar

Author: Mobeen Anwar

Share This Post On

Submit a Comment

Your e-mail address will not be published. Required fields are marked *