When I started working more with ASP.NET a couple of years ago, doing a couple of complete websites from scratch, rather than working from an existing template or someone else’s site, I soon ran into the error shown below. While trying to troubleshoot it I came to the conclusion that it’s both very common and yet not very well understood.  Eventually I figured I had a good handle on the whole thing so I thought maybe it was time to share.

Here’s the error you get from IIS:

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

To simplify what’s happening, the error occurs because the client and server aren’t using the same key to encrypt & decrypt data that gets sent back and forth by ASP.NET.

So, how does that happen?  The message refers to the  entry in your ASP.NET website’s web.config file.  This entry defines how ASP.NET gets the encryption key used to encrypt and decrypt data sent back and forth in ASP.NET.  The default configuration for  is to specify ASP.NET should automatically generate the key. When AutoGenerate mode is turned on, the key is generated at the start of the browser session and in theory should last as long as the user’s session with the browser is open.

It makes perfect sense that when you have multiple servers working together, you have to synchronize them in certain ways, such as making sure they all use the same encryption key.  So turning off AutoGenerate would make sense in that scenario.

But I was using a single, stand-alone server, not a cluster or farm, so the message didn’t seem to apply.  Oddly, the information I could online seemed to largely ignore this alternative.

After experimenting with it for awhile, I came to the conclusion that the problem can also be caused by the expiration of the session on the server side. This can happen for a variety of reasons, but the most common would be simply that the client side sits idle long enough.  Like, you know, if the user walks away from their computer at bedtime, leaving the site open in their browser window.

After the session has been inactive for awhile, the server purges it in order to recover the memory and any other resources that might be involved.  Later, when the user comes back to the computer and does something that causes an event, the JavaScript code that ASP.NET uses to do its magic will still have the old encryption key from the night before. When it sends data to the server, the server will create a new session, since the old one was purged.  But the new session will have a new encryption key that doesn’t match what just came in from the client, so it spits out the error.

Aside from the user being idle for awhile, there are other scenarios which can cause an open session to be reset, such as files in the website being updated, user’s authentication status changing, or the user’s internet connection changing in some way, to name a few possibilities.

When the session gets reset, the appearance of the error depends on what happens next.  If the user clicks a plain old fashioned link to another page, the error will not occur, since this does not require any encrypted data to be sent back to the server.  However, if the item being clicked is an ASP.NET HyperLink control or something similar where an event is generated, then the client will send encrypted data and the server will go boom.

Annoyingly, there appears to be no way to catch this error and recover from it once it’s happened, at least that I’ve found.

But the fix is simple.  Just always use a specific Machine Key configuration with your ASP.NET websites, rather than AutoGenerate. There is a web-based tool for creating a unique Machine Key available online.

A Brief Sidebar About The ASP.NET Page Life Cycle

These days there are a few different flavors of ASP.NET out there.  The original flavor is commonly known as “Web Forms”. Subsequently Microsoft has come up with ASP.NET MVC and Razor.  These newer flavors do things a bit differently in some ways, but this article is mainly about the original “Web Forms”.

When I first hit this error, I was still relatively new to ASP.NET and didn’t have a full understanding about the relationship between the server and client sides.  If that applies to you, then read on and I’ll try to explain a few things so you have a background for what’s happening with the error.

When your page is first loaded, ASP.NET creates an instance of the class which is attached to the page and then calls the methods named Page_Init and Page_Load to handle whatever processing is required to create the page.

Part of what gets created during this process is a block of JavaScript code which handles the client-side part of ASP.NET.  This includes a data structure called the viewstate which describes the status of all controls on the page which have the runat=”server” attribute assigned to them, regardless of if they are plain HTML tags or something ASP.NET specific.  This attribute means that when some sort of event occurs on the client side, we want to have it processed at the server side. The ASPX source file for the page can assign handlers for these events, or your Page_Init and Page_Load code can do it.

An event handler is a method (usually within your page class) which knows how to process the event in question. Whenever some event happens on the client that needs to be processed on the server, the ASP.NET JavaScript code updates the viewstate data, then encrypts it and sends it to the the server along with a description of whatever event occurred.  This whole process is known as a postback.

On the server side, when a postback happens, the Page_Init and Page_Load code for the current page is called again, just like it was when the page was first created, except now the property IsPostback is set to true, whereas it had been set to false originally.  Your page’s code can look at this value to determine if there is extra processing required for the postback, or if there something that can be skipped.

After the Page_Init and Page_Load code finishes, then ASP.NET calls the function that was designated as the handler for the event which occurred.  It might handle a button being clicked, or whatever else was done.  After this processing is done, unless the code redirected to another page, the updated viewstate structure is returned to the client, which then decrypts it and updates the window contents as indicated.