MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.
There are several conditions that may cause this issue. Each known condition is presented with a short explanation and a possible workaround. Application Pool Recycling Server Farms or Server Clusters Form Posts Proxy servers and Virus Scanners
The issue presents itself with a message similar to the following:
Background Viewstate represents the state of the page when it was last processed on the server. The contents of the page are stored in a container and moved to and from the server on each request. By default, ASP.NET validates the contents of viewstate to ensure that it has not been tampered. If this validation test fails, an invalid viewstate exception is thrown. Some known issues that cause this test to fail are listed below.
Application Pool Recycling IIS 6 will periodically recycle the application pool to maintain the health of the application pool. At the instance when the application pool is being recycled, browser requests may sometimes result in an invalid viewstate error. The fix in this case is to adjust the settings on the application pools so that recycling is less likely to occur at peak periods. This issue represents a bug since the application pool is supposed to gracefully handle this condition.
Server Farms or Server Clusters Applications running in a server cluster must have all the machineKey configurations set to the same validationKey. The default autogenerate key cannot be used in a cluster environment. The registry keys responsible for autogeneration are listed here:
When the machineKey is set to AutoGenerate, the key information is stored in the HKEY_CURRENT_USER hive for the account running the process. For W2k3 servers, this is the Network Service account. Otherwise, the account is ASP.NET machine account. When the process launches, ASP.NET will use the HKEY_CURRENT_USER registry key if it is available. If this key is not available, the HKEY_LOCAL_MACHINE key will be used. If neither registry key exists, the process creates the key in the HKEY_LOCAL_MACHINE hive. If these conditions fail, the process creates a brand new set of keys.
When the application pool is running under a user account, the above keys are not generated leading to an intermittent invalid viewstate error.
The workaround is to use a specific key in the machine.config to prevent automatic key generation on each process start. The key must be exactly 128 bits made up of random characters and inserted into the configuration file on each webserver experiencing the problem.
Form Posts Viewstate can only be posted back to the same page. Attempting to post an aspx form to another page will fail with a viewstate invalid exception. This behavior is by design.
One other remedy involves disabling the Machine Authentication Check. Unless, you implement a back up authentication mechanism, you should refrain from this approach. Machine Authentication Checks are important in reducing the attack surface of ASP.NET applications.
Proxy servers and Virus Scanners A firewall and/or antivirus software can tamper with the viewstate resulting in an invalid viewstate exception being thrown.
1. Adjust the settings on the application pools so that recycling is less likely to occur at peak periods. 2. Use a specific key in the machine.config to prevent automatic key generation on each process start 3. Only post to the same ASPX page 4. Turn off firewall and antivirus software
Issues that haven't been covered here should be submitted to Microsoft product support for further consideration