Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Nov 28, 2009 05:14 PM by Adam.Kahtava
Oct 08, 2009 11:05 AM|LINK
In my MVC (version 1) application im using the forms authentication mode to authenticate users, everything works fine. When the session has expired and the user clicks on a link, he is redirected to the login page. But when the user authenticates again the
following exception occurs:
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
The last line of the stack trace (HttpException) caught my attention:
When I remove the AntiForgery cookie in Firefox my application worked again, so I removed the Html.AntiForgeryToken() from my page.
I don't understand why the antiforgery token caused an invalid viewstate exception. I didn't put the Html.AntiForgeryToken() function in a BeginForm element, could that be the problem or did I overlooked something else?
Oct 08, 2009 03:21 PM|LINK
The error is misleading. You are probably missing the
[ValidateAntiForgeryToken] attribute. Try to get a simple sample working, the MVC
AntiForgery plumbing works well, but you need all the elements.
Oct 09, 2009 08:24 AM|LINK
Thanks for your reply, but the strange thing is that the application works fine until the session expires and the user tries to re-authenticate himself. And when I miss the [ValidateAntiForgeryToken] I should see this error: "A required anti-forgery token
was not supplied or was invalid", right?
By the way, MVC is not installed on that server (by providing the MVC assembly and changing the default route the application works). Could that cause the error?
Oct 09, 2009 05:55 PM|LINK
Bin deployed MVC and GAC are the same. Can you reproduce this with a simple MVC app using IIS7 (vista/Win08) or IIS 7.5?
Oct 12, 2009 12:08 PM|LINK
I reproduced the error on the servers of my webhoster:
I will contact my webhoster for the IIS and Windows version.
Oct 12, 2009 05:30 PM|LINK
A few issues:
The Html.AntiForgeryToken() call must be within a form. It generates a hidden input field that must be sent back along with the form.
The anti-forgery tokens do not depend on Session. The exception text directs you to add a <machineKey> section to Web.config; are you still seeing this error after adding this section?
Oct 12, 2009 06:35 PM|LINK
I make use of auto generated forms by using JQuery. When making an AJAX call I submit the anti forgery token in the request. This works fine, but when I need to re-authenticate after the session expires the exception occurs. After a few hours the application
works again. I also find out that when the application crashes in for example firefox, it still works in other browsers (until it crashes there of course).
I tried to solve the problem by adding a machine key in the web.config, but it didnt change anything...
Oct 14, 2009 12:31 AM|LINK
>>In the masterpage, call the antiforgerytoken htmlhelper function before the </body> tag (not in a form)
That's the problem
Oct 16, 2009 09:33 AM|LINK
I tried it again by creating a form using Html.BeginForm. This time not in the masterpage but just in the Home/Index page, and again when the session expired and I logged on the application crashed. The Home/About page does not contain a form with validation
token and is working fine.
I also tried it on another server, no problems found there, so I think the problem is caused by my webhosting provider.
Oct 16, 2009 06:44 PM|LINK
I think you're right - we have lots of folks using AntiForgeryToken. It would be nice to get a list of MVC friendly providers.