We are building a website using .NET Framework 2.0 running in integrated mode on a single 64bit Windows 2008 Server machine.
In our website on the login form it is possible to post it twice by pressing Enter and clicking on the login Submit button.
Before we fixed this issue ASP.NET returned the following error when the form was posted twice.
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. Stack Trace: [HttpException (0x80004005): Unable to validate data.] System.Web.Configuration.MachineKeySection.GetDecodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Int32& dataLength) +10986325 System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +295 [ViewStateException: Invalid viewstate. Client IP: xxx.xxx.xxx.xxx Port: 60414 User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; Trident/4.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30618; InfoPath.2; OfficeLiveConnector.1.4; OfficeLivePatch.1.3; .NET4.0C; .NET4.0E) ViewState: /wEPDwUJNDIzNjI5OTU0D2QWAmYPZBYEZg9kFgICAQ8WAh4QQXV0b21hdGVkVmlzaWJsZWdkAgEQZGQWBAIFD2QWCAIBD2QWAmYPZBYCAgEPFgIfAGcWAmYPZBYCAgIPFgQfAGgeB1Zpc2libGVoFgICAg8WAh8BaGQCAg9kFgJmD2QWBgICDxYEHwBoHwFoFgICAQ9kFgQCAQ9kFgICAQ8WAh8BaGQCAg8WAh8AZ2QCBA9kFgQCAQ9kFgICAQ8WAh8AZxYCAgEPZBYCAgEPZBYMAgEPFgIfAGdkAgMPD2QWAh4Jb25rZXlkb3duBXpyZXR1cm4gS2V5RG93bkhhbmRsZXJjdGwwMF9mcmFnbWVudF82NWU4OWNjOF85NmM2XzRmZTFfYTE0M180OGNhNTA2NWYxOGFfY3RsMDFfY3RsMDJfY3RsMDVfY3RsMDBfY3RsMDlfbG9naW5CdXR0b24oZXZlbnQpO2QCBQ8WAh8AZ2QCBw8PZBYCHwIFenJldHVybiBLZXlEb3duSGFuZGxlcmN0bDAwX2ZyYWdtZW50XzY1ZTg5Y2M4Xzk2YzZfNGZlMV9hMTQzXzQ4Y2E1MDY1ZjE4YV9jdGwwMV9jdGwwMl9jdGwwNV9jdGwwMF9jdGwwOV9sb2dpbkJ1dHRvbihldmVudCk7ZAIJDxYCHwBnZAILDxAPFgIeB0NoZWNrZWRnZGRkZAICDxYCHwFoZAIGDxYCHwBnZAIDD2QW...] [HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.] System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +148 System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +10959605 System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState) +59 System.Web.UI.HiddenFieldPageStatePersister.Load() +10959704 System.Web.UI.Page.LoadPageStateFromPersistenceMedium() +11043464 System.Web.UI.Page.LoadAllState() +46 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +11038983 System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +11038522 System.Web.UI.Page.ProcessRequest() +91 System.Web.UI.Page.ProcessRequest(HttpContext context) +240 ASP.svs_pages_homepage_aspx.ProcessRequest(HttpContext context) +9 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +599 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +171
This was resolved by adding the following attribute to the <pages> tag in the web.config:
enableViewStateMac="false"
If enableViewStateMac is set to true then the viewstate data is checked when it is received by the web server to see if it has been tampered with. It seems that when doing the double-post, by clicking on the submit button and pressing enter, the viewstate data is altered in such a way that the viewstate check fails.
There are security implications in setting enableViewStateMac to false. Indeed, Microsoft recommends that “this attribute should never be set to false in a production Web site”. More information on enableViewState can be found here.
In this particular scenario, it is better to ensure that the form cannot be posted twice, maybe by disabling the ability to submit the form by pressing enter on the client, rather than setting enableViewState to be false.
Recent Comments