HttpException Due to Invalid Viewstate After Installing .NET Framework 3.5 SP1

In the recent past I have come across several issues where our customers have started running into ViewState issues after installing SP1 for .NET Framework 3.5. The exception details are similar to the following:


Server Error in ‘/ActionTest’ Application.

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Source Error:

[No relevant source lines]

Source File: c:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\actiontest\fae72529\40d789a2\App_Web_2ek84umu.1.cs    Line: 0

Stack Trace:

[HttpException (0x80004005): Unable to validate data.]
   System.Web.Configuration.MachineKeySection.GetDecodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Int32& dataLength) +289
   System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +140

[ViewStateException: Invalid viewstate. 
	Client IP: ::1
	Port: 55824
	User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 1.1.4322; InfoPath.2; MS-RTC LM 8; .NET CLR 3.5.21022; .NET CLR 3.5.30729; MS-RTC EA 2; OfficeLiveConnector.1.3; OfficeLivePatch.0.0; .NET CLR 3.0.30729)
	ViewState: /wEPDwUKMTg1NzEyNTU1OWRkfmOpf2LsmvVxtr3aHeaANTZVGQM=
	Referer: http://localhost/ActionTest/FormWithActionTag.aspx
	Path: /ActionTest/Test.aspx]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
   System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +106
   System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +14
   System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +242
   System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +4
   System.Web.UI.Util.DeserializeWithAssert(IStateFormatter formatter, String serializedState) +37
   System.Web.UI.HiddenFieldPageStatePersister.Load() +207
   System.Web.UI.Page.LoadPageStateFromPersistenceMedium() +105
   System.Web.UI.Page.LoadAllState() +43
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785
   System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242
   System.Web.UI.Page.ProcessRequest() +80
   System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
   System.Web.UI.Page.ProcessRequest(HttpContext context) +49
   ASP.test_aspx.ProcessRequest(HttpContext context) in c:\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\actiontest\fae72529\40d789a2\App_Web_2ek84umu.1.cs:0
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

Version Information: Microsoft .NET Framework Version:2.0.50727.3074; ASP.NET Version:2.0.50727.3074

After investigating this further we found an action attribute defined in form tags of the aspx page. Removing the action attribute prevented the exception. To reproduce the issue, add the following code to an aspx page called default.aspx  –

<%@ Page Language="C#" %>

<script runat="server">
    protected void Button1_Click(object sender, EventArgs e)

<head runat="server">
    <title>Form With Action Tag</title>
    <form id="form1" method="post" action="Test.aspx" runat="server">
        <asp:Button ID="Button1" runat="server" onclick="Button1_Click" Text="Button" />

Add a Test.aspx in the same application. When you browse the default.aspx page and click on the button, you will get the above exception.

SP1 for the 3.5 Framework (and SP2 for the 2.0 Framework) added an “action” property to the HtmlForm class that allows developers to programmatically set the action attribute of the form element. Prior to this change, action attributes in existing form elements were ignored, but after the service pack is installed, ASP.NET will honor the action attribute and will begin posting the ASP.NET page to a different page. This causes the validation of the Viewstate to fail.

To avoid the exception, remove the action attribute from the form element on your ASP.NET page. Alternatively, you can use the following code in your global.asax to remove the form attribute for all of your ASP.NET pages at runtime.

void Application_PreRequestHandlerExecute()
    var page = Context.Handler as Page;
    if (page != null) page.Init += delegate
        if (page.Form != null && !string.IsNullOrEmpty(page.Form.Action))
            page.Form.Action = string.Empty;

I hope this helps!

Comments (1)

  1. hamid says:


    my customer sometimes  get this error

    i don’t any action atribute in my solution

    sometimes i get this type of error :

    System.Security.Cryptography.CryptographicException: Padding is invalid and cannot be removed.

      at System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount, Byte[]& outputBuffer, Int32 outputOffset, PaddingMode paddingMode, Boolean fLast)

      at System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[] inputBuffer, Int32 inputOffset, Int32 inputCount)

      at System.Security.Cryptography.CryptoStream.FlushFinalBlock()

      at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo)

      at System.Web.UI.Page.DecryptStringWithIV(String s, IVType ivType)

      at System.Web.Handlers.AssemblyResourceLoader.System.Web.IHttpHandler.ProcessRequest(HttpContext context)

      at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()

      at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

    i confued by this error

    have you any suggestion for me?