Last post Nov 28, 2009 05:14 PM by Adam.Kahtava
Oct 08, 2009 11:05 AM|marthijnh|LINK
In my MVC (version 1) application im using the forms authentication mode to authenticate users, everything works fine. When the session has expired and the user clicks on a link, he is redirected to the login page. But when the user authenticates again the
following exception occurs:
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
The last line of the stack trace (HttpException) caught my attention:
When I remove the AntiForgery cookie in Firefox my application worked again, so I removed the Html.AntiForgeryToken() from my page.
I don't understand why the antiforgery token caused an invalid viewstate exception. I didn't put the Html.AntiForgeryToken() function in a BeginForm element, could that be the problem or did I overlooked something else?
Oct 08, 2009 03:21 PM|ricka6|LINK
The error is misleading. You are probably missing the
[ValidateAntiForgeryToken] attribute. Try to get a simple sample working, the MVC
AntiForgery plumbing works well, but you need all the elements.
Oct 09, 2009 08:24 AM|marthijnh|LINK
Thanks for your reply, but the strange thing is that the application works fine until the session expires and the user tries to re-authenticate himself. And when I miss the [ValidateAntiForgeryToken] I should see this error: "A required anti-forgery token
was not supplied or was invalid", right?
By the way, MVC is not installed on that server (by providing the MVC assembly and changing the default route the application works). Could that cause the error?
Oct 09, 2009 05:55 PM|ricka6|LINK
Bin deployed MVC and GAC are the same. Can you reproduce this with a simple MVC app using IIS7 (vista/Win08) or IIS 7.5?
Oct 12, 2009 12:08 PM|marthijnh|LINK
I reproduced the error on the servers of my webhoster:
I will contact my webhoster for the IIS and Windows version.
Oct 12, 2009 05:30 PM|levib|LINK
A few issues:
The Html.AntiForgeryToken() call must be within a form. It generates a hidden input field that must be sent back along with the form.
The anti-forgery tokens do not depend on Session. The exception text directs you to add a <machineKey> section to Web.config; are you still seeing this error after adding this section?
Oct 12, 2009 06:35 PM|marthijnh|LINK
I make use of auto generated forms by using JQuery. When making an AJAX call I submit the anti forgery token in the request. This works fine, but when I need to re-authenticate after the session expires the exception occurs. After a few hours the application
works again. I also find out that when the application crashes in for example firefox, it still works in other browsers (until it crashes there of course).
I tried to solve the problem by adding a machine key in the web.config, but it didnt change anything...
Oct 14, 2009 12:31 AM|ricka6|LINK
>>In the masterpage, call the antiforgerytoken htmlhelper function before the </body> tag (not in a form)
That's the problem
Oct 16, 2009 09:33 AM|marthijnh|LINK
I tried it again by creating a form using Html.BeginForm. This time not in the masterpage but just in the Home/Index page, and again when the session expired and I logged on the application crashed. The Home/About page does not contain a form with validation
token and is working fine.
I also tried it on another server, no problems found there, so I think the problem is caused by my webhosting provider.
Oct 16, 2009 06:44 PM|ricka6|LINK
I think you're right - we have lots of folks using AntiForgeryToken. It would be nice to get a list of MVC friendly providers.
Oct 17, 2009 08:45 AM|marthijnh|LINK
For now I fixed it by implementing a custom made anti forgery token. Thanks all for helping :)
Oct 18, 2009 08:40 AM|levib|LINK
Can you copy + paste the <machineKey> section you were using? The AntiForgeryToken depends on this section for cryptographic routines, so it would be nice to see why this isn't working.
Oct 19, 2009 05:22 PM|marthijnh|LINK
My webhosting provider has changed something in the configuration, the AntiForgeryToken works in combination with a machine key (which I generated with an online tool btw) so no exceptions anymore! Also my session doesnt expire anymore.
Nov 28, 2009 05:14 PM|Adam.Kahtava|LINK
I host my site on Shared Hosting (GoDaddy) and was getting this same error when ever my application was recycled (when I made .config changes or dll updates).
The quick solution was to delete my cookies for my site, the long term solution was to add the machine key to my web.config.
You can read more here:
How To Fix the: “Validation of viewstate MAC failed” Error (ASP.NET MVC)