In my MVC (version 1) application im using the forms authentication mode to authenticate users, everything works fine. When the session has expired and the user clicks on a link, he is redirected to the login page. But when the user authenticates again the
following exception occurs:
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
The last line of the stack trace (HttpException) caught my attention:
When I remove the AntiForgery cookie in Firefox my application worked again, so I removed the Html.AntiForgeryToken() from my page.
I don't understand why the antiforgery token caused an invalid viewstate exception. I didn't put the Html.AntiForgeryToken() function in a BeginForm element, could that be the problem or did I overlooked something else?
The error is misleading. You are probably missing the
[ValidateAntiForgeryToken] attribute. Try to get a simple sample working, the MVC
AntiForgery plumbing works well, but you need all the elements.
Thanks for your reply, but the strange thing is that the application works fine until the session expires and the user tries to re-authenticate himself. And when I miss the [ValidateAntiForgeryToken] I should see this error: "A required anti-forgery token
was not supplied or was invalid", right?
By the way, MVC is not installed on that server (by providing the MVC assembly and changing the default route the application works). Could that cause the error?
I reproduced the error on the servers of my webhoster:
Create a new MVC project
Create a separate logon page (i.e. remove the contentplaceholders from the default logon page, add html tags, etc.)
Put the [authorize] filter on the actions in the homecontroller
In the masterpage, call the antiforgerytoken htmlhelper function before the </body> tag (not in a form)
Change the accountcontroller such that test/test account works
Log in and wait till the session expires, then click for example on the Home link in the menu. Because the session is expired you need to re-authenticate, then the invalid viewstate error occurs.
I will contact my webhoster for the IIS and Windows version.
The Html.AntiForgeryToken() call must be within a form. It generates a hidden input field that must be sent back along with the form.
The anti-forgery tokens do not depend on Session. The exception text directs you to add a <machineKey> section to Web.config; are you still seeing this error after adding this section?
Marked as answer by ricka6 on Oct 14, 2009 12:28 AM
I make use of auto generated forms by using JQuery. When making an AJAX call I submit the anti forgery token in the request. This works fine, but when I need to re-authenticate after the session expires the exception occurs. After a few hours the application
works again. I also find out that when the application crashes in for example firefox, it still works in other browsers (until it crashes there of course).
I tried to solve the problem by adding a machine key in the web.config, but it didnt change anything...
I tried it again by creating a form using Html.BeginForm. This time not in the masterpage but just in the Home/Index page, and again when the session expired and I logged on the application crashed. The Home/About page does not contain a form with validation
token and is working fine.
I also tried it on another server, no problems found there, so I think the problem is caused by my webhosting provider.
marthijnh
Member
5 Points
18 Posts
Invalid viewstate exception when using AntiForgeryToken
Oct 08, 2009 11:05 AM|LINK
Hi all,
In my MVC (version 1) application im using the forms authentication mode to authenticate users, everything works fine. When the session has expired and the user clicks on a link, he is redirected to the login page. But when the user authenticates again the following exception occurs:
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
The last line of the stack trace (HttpException) caught my attention:
System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken)
When I remove the AntiForgery cookie in Firefox my application worked again, so I removed the Html.AntiForgeryToken() from my page.
I don't understand why the antiforgery token caused an invalid viewstate exception. I didn't put the Html.AntiForgeryToken() function in a BeginForm element, could that be the problem or did I overlooked something else?
ricka6
All-Star
15070 Points
2272 Posts
Microsoft
Moderator
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 08, 2009 03:21 PM|LINK
The error is misleading. You are probably missing the [ValidateAntiForgeryToken] attribute. Try to get a simple sample working, the MVC AntiForgery plumbing works well, but you need all the elements.
marthijnh
Member
5 Points
18 Posts
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 09, 2009 08:24 AM|LINK
Thanks for your reply, but the strange thing is that the application works fine until the session expires and the user tries to re-authenticate himself. And when I miss the [ValidateAntiForgeryToken] I should see this error: "A required anti-forgery token was not supplied or was invalid", right?
By the way, MVC is not installed on that server (by providing the MVC assembly and changing the default route the application works). Could that cause the error?
ricka6
All-Star
15070 Points
2272 Posts
Microsoft
Moderator
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 09, 2009 05:55 PM|LINK
Bin deployed MVC and GAC are the same. Can you reproduce this with a simple MVC app using IIS7 (vista/Win08) or IIS 7.5?
marthijnh
Member
5 Points
18 Posts
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 12, 2009 12:08 PM|LINK
I reproduced the error on the servers of my webhoster:
I will contact my webhoster for the IIS and Windows version.
levib
Star
7702 Points
1099 Posts
Microsoft
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 12, 2009 05:30 PM|LINK
A few issues:
The Html.AntiForgeryToken() call must be within a form. It generates a hidden input field that must be sent back along with the form.
The anti-forgery tokens do not depend on Session. The exception text directs you to add a <machineKey> section to Web.config; are you still seeing this error after adding this section?
marthijnh
Member
5 Points
18 Posts
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 12, 2009 06:35 PM|LINK
I make use of auto generated forms by using JQuery. When making an AJAX call I submit the anti forgery token in the request. This works fine, but when I need to re-authenticate after the session expires the exception occurs. After a few hours the application works again. I also find out that when the application crashes in for example firefox, it still works in other browsers (until it crashes there of course).
I tried to solve the problem by adding a machine key in the web.config, but it didnt change anything...
ricka6
All-Star
15070 Points
2272 Posts
Microsoft
Moderator
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 14, 2009 12:31 AM|LINK
>>In the masterpage, call the antiforgerytoken htmlhelper function before the </body> tag (not in a form)
That's the problem
marthijnh
Member
5 Points
18 Posts
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 16, 2009 09:33 AM|LINK
I tried it again by creating a form using Html.BeginForm. This time not in the masterpage but just in the Home/Index page, and again when the session expired and I logged on the application crashed. The Home/About page does not contain a form with validation token and is working fine.
I also tried it on another server, no problems found there, so I think the problem is caused by my webhosting provider.
ricka6
All-Star
15070 Points
2272 Posts
Microsoft
Moderator
Re: Invalid viewstate exception when using AntiForgeryToken
Oct 16, 2009 06:44 PM|LINK
I think you're right - we have lots of folks using AntiForgeryToken. It would be nice to get a list of MVC friendly providers.