How To Fix the: “Validation of viewstate MAC failed” Error (ASP.NET MVC)
I run my site on a Windows Shared Hosting account, and every time I updated the assemblies on my ASP.NET MVC site I’d be presented with the “Validation of viewstate MAC failed” error.
The “Validation of viewstate MAC failed” error only occurred when a page contained an HTML form element that made use of MVC’s AntiForgeryToken. The quick fix was to delete my __RequestVerificationToken cookie, but the error would rear its ugly head the minute I touched my assemblies. The long term solution was to add a machineKey element to my Web.config file – asking visitors to delete a specific cookies when visiting my site was not a viable option.
How I fixed the “Validation of viewstate MAC failed” error on Shared Hosting:
- I used the <machineKey> Generator Tool to generate a machine key
- I added the machineKey element to my Web.config file
My Web.config now looks similar to this:
<?xml version="1.0"?>
<configuration>
<system.web>
<machineKey validationKey="..." decryptionKey="..." validation="SHA1" />
Anyhow, I hope this post helps anyone else that’s encountering this error.
Oh wait, here’s the error in its entirety for The Google Machine’s crawlers:
Server Error in '/' Application.
Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.
Thank you for your post. I was trying to narrow down the issue and knowing that it’s the anti-forgery token will go a long way.
Glad I could help. :)
Wow, this was really biting me and my team’s ass for a while, especially the whole “ViewState” part of it that made absolutely no sense whatsoever, as we don’t even use ASPX views in our MVC project, but NVelocity. Thus, no viewstate can in any way exist in our project, yet viewstate exceptions were being thrown all over the place.
While I think Microsoft has made a huge mistake in basing the anti forgery token on the legacy viewstate mac validation algorithm (and even haven’t managed to mask this legacy in more intuitive and descriptive error messages), your solution works fine.
I wish Microsoft could somehow demand or at least encourage the existence of in web.config in ASP.NET MVC projects, so this problem wouldn’t ever surface to begin with.
Again: Thanks for your solution! :)
Wow, I wish your article appeared higher on the google results. I have tried numerous other solutions to no avail. Yours did the trick! Thanks.
Oh my god, it solve my problem, thanks
Great Article! Quickly fixed my exact problem! Very detailed as well.. Thank you so much!
- Dan