Validation of viewstate MAC failed.

[Gibble]

We have been receiving 100s of this error:

----------
Validation of viewstate MAC failed. If this application is hosted by a
Web Farm or cluster, ensure that <machineKey> configuration specifies
the same validationKey and validation algorithm. AutoGenerate cannot
be used in a cluster.
----------

Since we aren't using a Web Farm or Cluster that's not the issue. The
machine key is correct. I believe this is related to large/slow
loading pages not being done rendering when the post back happens.
Therefor the __EVENTVIEWSTATE form value is not yet set and
subsequently not sent with the form.

What are the security implications of setting
enableEventValidation="false" in my web.config?

Thankyou.
-G

 

[bruce barker]

enableEventValidation checks that postbacks are from enabled controls,
and that the posted select values are in the rendered list. it has no
effect on the error message you are receiving.

most likely the application is recycling between render and postback.
this causes a new key to be generated and your error. you can fix the
key in the web config and avoid this.

-- bruce (sqlwork.com)

 

[Guest]

enableEventValidation is probably not what you need to look at. What that
controls is whether the Form elements in a postback are the same that were
on the original page, and has more to do with adding controls or dropdownlist
elements programmatically (for example).

ValidateRequest is more like what you want to be looking at. Also, see if
you really need ViewState enabled on all your controls or the page, to cut
down on its size.
Peter

 

[Gibble]

We already use a fixed key in our web.config.

enableEventValidation checks that postbacks are from enabled controls,
and that the posted select values are in the rendered list. it has no
effect on the error message you are receiving.

most likely the application is recycling between render and postback.
this causes a new key to be generated and your error. you can fix the
key in the web config and avoid this.

-- bruce (sqlwork.com)

 

[Gibble]

The current web.config contains.
<pages validateRequest="false" enableEventValidation="true"/>

 

[bruce barker]

you should probably reduce your viewstate size (< 1k), if you can not,
then you probably need to set viewStateEncryptionMode to never and turn
off enableEventValidation.

the security you face is your site is easier to hack. because the
viewstate is not encrypted, hackers can change values in the viewstate,
send values not included in a dropdown list and press buttons you may
have disabled. as long as you site does not trust any postback values,
and validates button clicks then you are fine.

crosssite scripting and sql injection are the most common risks if you
do not do the above validation.

-- bruce (sqlwork.com)

 

[Gibble]

Well, we shouldn't be using viewstate anywhere anyhow, it's disabled
wherever possible.

Thanks.

 

[RS Emenu]

The reason for this error is validation of Viewstate failing because of different value of key for encryption/decryption across different server on farm. Below link provide good explanation of this error and possible resolution for the same.

http://a2zmenu.com/AspNet/Validation-of-viewstate-MAC-failed.aspx