Html.AntiForgeryToken() causeing errors after upgrading to .NET 3.5 SP1

Question

I've just updated to .NET 3.5 SP1 and my once working ASP.NET MVC page has now stopped working.

When trying to load a page I get the following YSOD

[CryptographicException: Padding is invalid and cannot be removed.]
   System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast) +7596702
   System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount) +208
   System.Security.Cryptography.CryptoStream.FlushFinalBlock() +33
   System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo) +225
   System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +195

[ViewStateException: Invalid viewstate. 
    Client IP: 127.0.0.1
    Port: 
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)
    ViewState: hC6BC8KsuD/yoy2iG74bUZ8TYhGfuDDeIjh9fg/L18yr/E+1Nk/pjS5gyn9O+2jY
    Referer: http://localhost:1092/admin/product
    Path: /admin.aspx/product/edit/4193]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
   System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +106
   System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +14
   System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +242
   System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +4
   System.Web.Mvc.AntiForgeryTokenSerializer.Deserialize(String serializedToken) +73

If I remove the line

<%= Html.AntiForgeryToken() %>

Everything works again, any ideas what might be causing this? I would have expected more luck in finding a solution if this was an MVC or .NET issue so I'm guess it is something to do with my configuration.

I've tried reinstalling the MVC framework to see if it was because I installed before SP1 but I still get the same issue. Google and SO search hasn't resulted in any firm conclusions.

score 15 · Accepted Answer · answered Feb 11 '09 at 14:07

15

Doh, just solved it.

Cleared my browser cache and cookies and everything works fine again.

answered Feb 11 '09 at 14:07

Remmus

505
3
9

Thanks! This really helped me, was going nuts. – jesperlind Sep 08 '09 at 18:08
Saved me 2 hours of research. Thanks – Felipe Lima May 10 '10 at 04:56
3

Likewise. Why does this fix the issue? And why was there an issue in the first place? – Kasper Holdum Jul 03 '10 at 23:25
1

Omg, after all thing I tried, bunch of machine keys generated, all i have to do is clear cookies! Thanks so much! – Hrvoje Hudo Aug 02 '10 at 20:24
Closing the browser also works, as it's a session cookie that is used. Adding a machinekey in web.config is the long term solution, otherwise you will have this problem every time you restart the site. See http://stackoverflow.com/questions/1360078/asp-net-mvc-validation-of-viewstate-mac-failed – Guffa Oct 21 '11 at 08:22

score 3 · Answer 2 · answered Jun 20 '11 at 17:18

Clearing the browser cache isn't an option if the site is already deployed and you're doing maintenance including an ASP.NET MVC assembly update. Here's the solution I used:

@Html.AntiForgeryTokenReset() @* use this instead*@

here is the extension method

public static MvcHtmlString AntiForgeryTokenReset(this HtmlHelper htmlHelper)
{
    try
    {
        return htmlHelper.AntiForgeryToken();
    } catch (Exception ex)
    {
        var request = HttpContext.Current.Request;
        request.Cookies.Clear();
        return htmlHelper.AntiForgeryToken();
    }
}

Interresting solution. I thought of using this, but as the cookie is a session cookie it will go away for the visitors when they close the browser. As I have added a machine key to web.config anyway, it won't be a problem in future updates. — Guffa, Oct 21 '11 at 08:16

score 1 · Answer 3 · answered Mar 02 '09 at 15:27

1

Looks like this problem has been solved now. Take a look at http://forums.asp.net/p/1388671/2960554.aspx

answered Mar 02 '09 at 15:27

Dave Archer

3,022
20
23

That applies to local development where sites overwrite each others cookies, which has been fixed. – Guffa Oct 21 '11 at 08:22

Html.AntiForgeryToken() causeing errors after upgrading to .NET 3.5 SP1

3 Answers3