I currently have an intermittent issue where users receive the error message in the title of this post:

System.Web.UI.ViewStateException Invalid viewstate. Client IP: 127.0.0.1 Port: xxx Referer: xxx

I've finally managed to replicate this in our Development environment and it appears to be related to posting a form back after a period of 20 minutes of inactivity.

I initially thought it was the session timing out causing the problem but apparently not.

I found the following post:

Viewstate timeout error

This suggests that ViewState encryption keys have a finite lifetime and by default are set at server level to:

<machineKey validationKey="AutoGenerate,IsolateApps"  
            decryptionKey="AutoGenerate,IsolateApps" 
            validation="SHA1" decryption="Auto" />

The strange thing is that this doesn't happen for all users concurrently so it's not the app pool recycling.

Does anyone know if a key is generated per user session?

I have managed to fix this error my adding a static machine key config as suggested

<machineKey validationKey="9664D19D67A5EE43FE77CD2B660A57DF254B15714935DDDDAAC94BC66C5C398F894380AD56572C8762A1AB116B9070C7ACC7F32B489D23476CEA909448831AF3" 
  decryptionKey="CAD9BBC02543433C50CD4A11EA706F0F25FCD51F28E9DEAF20361F0AA2AB3793" 
  validation="SHA1" 
  decryption="AES" 
/>

Is this a safe thing to do in a production environment? Wanted to double check as the application has been running for around 10 years and is a global change I'm reluctant to make without knowing the pros and cons.

Thanks in advance.

Related posts

Recent Viewed