0

I develop mostly for desktop so, I tend to think as WebForms as a web equivalent of WinForms. Unfortunetly this is not true.

Recently I have discovered that the Viewstate have some kind of timeout.

My problem is similar as I have read in most questions, in particular here (in my case is only around 5 to 10 minutes).

Here Microsoft says that one solution for this problem is:

 <asp:Page EnableViewStateMac="False" />

However as we can read further they say: 

Security Note:
This attribute should never be set to false in a production Web site, 
even if the application or page does not use view state. 
The view state MAC helps ensure the security of other ASP.NET functions 
in addition to view state.

For this reason I don't want to set EnableViewStateMac to false and I have no access to my server (is shared hosting).

My question is: can we store the Viewstate between postbacks even if our page stay idle for a long time? If yes, how?

Thank you

Community
  • 1
  • 1
user3174393
  • 1
  • 1
  • Can you show the code you use to store objects in the ViewState? – rene Jan 08 '14 at 18:07
  • @rene: I don't store the ViewState. I even don't know if that is possible. So, the reason of my question. – user3174393 Jan 08 '14 at 18:11
  • @user3174393 Can you add detail about the actual error you are experiencing? – geedubb Jan 08 '14 at 18:11
  • @geedubb: Server Error in '/' Application. Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. Stack Trace: [ViewStateException: Invalid viewstate. – user3174393 Jan 08 '14 at 18:15
  • You have a session timeout not a viewstate timeout. You probably do something like `Session["mykey"] = "keyvalue"; `. Viewstate is send to the browser and can be retrieved on the next postback of a form. It's typical use is `ViewState["key"] = "value";` – rene Jan 08 '14 at 19:00
  • @rene: No I don't do nothing like that. I don't even know how to manage sessions (I'm an ASP.NET beginner) – user3174393 Jan 08 '14 at 19:31
  • You deployed your website on a webfarm? – rene Jan 08 '14 at 19:39
  • @rene: No, the website is deployed in a single server (shared) – user3174393 Jan 08 '14 at 22:21

1 Answers1

0

The viewstate is encrypted using a machine key to ensure that it is not tampered with during postback. The machine key used to encrypt the viewstate is by default auto-generated and if the time out happens then the key's decryption will fail because the machinekey will get regenerated.

The machinekey is by default available at machine level config file.

<machineKey validationKey="AutoGenerate,IsolateApps"  
            decryptionKey="AutoGenerate,IsolateApps" 
            validation="SHA1" decryption="Auto" />

To fix this, you can use your own defined machine key. You can generate using online tools as well, like this or through IIS.

How to add this machinekey to web.config can be read at MSDN.

It should be placed under the system.web section, like this -

<configuration>
  <system.web>
    <machineKey decryptionKey="Decryption key goes here,IsolateApps" 
                validationKey="Validation key goes here,IsolateApps" />
  </system.web>
</configuration>
NoviceProgrammer
  • 3,347
  • 1
  • 22
  • 32
  • As far as I unserstand the tool to generate the machine key runs on thw web server, right? If this is the case I can do that, because I have no access to server. It's a shared hosting. – user3174393 Jan 08 '14 at 19:19
  • The MSDN link you provided says: "Retired Content" – user3174393 Jan 08 '14 at 19:27
  • yes the content is marked retired, but it is still valid and explains the machinekey concept well. You will need to add the machinekey value in the web.config – NoviceProgrammer Jan 08 '14 at 19:31