19

After publishing a new build of my ASP.NET MVC web application, I often see this exception thrown when browsing to the site:

System.Web.Mvc.HttpAntiForgeryException: A required anti-forgery token was not supplied or was invalid. ---> System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. ---> System.Web.UI.ViewStateException: Invalid viewstate.

This exception will continue to occur on each page I visit in my web application until I close out of Firefox. After reopening Firefox, the site works perfectly. Any idea what's going on?

Additional notes:

  1. I am not using any ASP.NET web controls (there are no instances of runat="server" in my application)
  2. If I take out the <%= Html.AntiForgeryToken %> from my pages, this problem seems to go away
Kevin Pang
  • 41,172
  • 38
  • 121
  • 173

3 Answers3

32

Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config (see here), one is automatically generated for you by ASP.NET (full description).

If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error.

So you should always specify a machinekey in your web.config when using MVC, e.g.

<configuration>
    <system.web>
        <machineKey  
            validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"           
            decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
            validation="SHA1"
            decryption="AES"
        />
    ...
Dunc
  • 18,404
  • 6
  • 86
  • 103
  • I am still getting the error even if I enter the machineKey like this. Could it be that the machine.config on the server (I have not access to this) is not configured correctly? – jesperlind Nov 12 '09 at 01:54
  • @jesperlind: (A little late, but anyone reading this might be helped...) You still get the error because you have a cookie from before you added the machine key. It will only work without a hitch if you have the machine key locked in from the start. – Guffa Oct 21 '11 at 07:53
  • 4
    Note: Don't use the exact machine key from the code above. If all sites have the same machine key, it's easy to circumvent. Use an online machinekey generator to generate a unique key, for example http://aspnetresources.com/tools/machineKey – Guffa Oct 21 '11 at 08:21
  • 1
    Thanks @Guffa. So that means that if we need to change the machinekey for some reason we are smoked. We have to ask the users to delete their cookies to be able to use the web site again. From my experience the AntiForgeryToken been a bit buggy in Mvc2 and below. I ended up writing a filter that caught HttpAntiForgeryException and then: filterContext.HttpContext.Request.Cookies.Remove("__RequestVerificationToken_Lw__"); It only now that I've upgraded to Mvc3 that I removed that filter and I have not had any problem since. – jesperlind Oct 22 '11 at 01:19
  • @jesperlind: It's a session cookie, so it's only a problem for users who have the browser open and visit the site before and after the update. – Guffa Oct 22 '11 at 10:57
  • before write the machine key in web.config i like to know where i should look for the machine key to copy & paste in web.config. thanks – Thomas Aug 12 '14 at 09:07
1

If you're on a server farm, make sure your machine key on every server is the same.

Andrew Arnott
  • 80,040
  • 26
  • 132
  • 171
0

I too had this problem, and expecting the users to clear their cache, cookies or refreshing the page isn't acceptable.

Adding a machinekey to web.config is will fix this. I used this tool to quickly generate a key so I don't see these errors in development and then I generate one properly when the site goes into production.

http://aspnetresources.com/tools/machineKey

hokapoka
  • 469
  • 1
  • 5
  • 17