Web Debug

Fix broken web applications, from servers to clients.

Validation of viewstate MAC failed

The symptom


View state is a feature in ASP.NET that allows pages to automatically preserve state without relying on server state (for example, session state). However, issues relating to view state can be difficult to debug. In most cases, when problems with view state occur, you receive the following error message in the Web browser, with little indication of what might be causing the issue:

"The viewstate is invalid for this page and might be corrupted"

<!--more-->

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

The theory


This section is from http://msdn.microsoft.com/en-us/magazine/ff797918.aspx

The ASP.NET feature to apply a MAC is called EnableViewStateMac, and just like ViewStateEncryptionMode, you can apply it either through a page directive or through the application’s web.config file:

<%@ Page EnableViewStateMac="true" %>



Or





To understand what EnableViewStateMac is really doing under the covers, let’s first take a high-level look at how view state is written to the page when view state MAC is not enabled:

  1. View state for the page and all participating controls is gathered into a state graph object.
  2. The state graph is serialized into a binary format.
  3. The serialized byte array is encoded into a base-64 string.
  4. The base-64 string is written to the _VIEWSTATE form value in the page.


When view state MAC is enabled, there are three additional steps that take place between the previous steps 2 and 3:

  1. View state for the page and all participating controls is gathered into a state graph object.
  2. The state graph is serialized into a binary format.
    a.   A secret key value is appended to the serialized byte array.
    b.   A cryptographic hash is computed for the new serialized byte array.
    c.   The hash is appended to the end of the serialized byte array.
  3. The serialized byte array is encoded into a base-64 string.
  4. The base-64 string is written to the _VIEWSTATE form value in the page.


Whenever this page is posted back to the server, the page code validates the incoming _VIEWSTATE by taking the incoming state graph data (deserialized from the _VIEWSTATE value), adding the same secret key value, and recomputing the hash value. If the new recomputed hash value matches the hash value supplied at the end of the incoming _VIEWSTATE, the view state is considered valid and processing proceeds. Otherwise, the view state is considered to have been tampered with and an exception is thrown.

<img title="Figure 3 Applying a Message Authentication Code (MAC)" src="http://i.msdn.microsoft.com/ff797918.SullivanFigure3hires%28en-us,MSDN.10%29.png" alt="" align="Middle" />

Applying a Message Authentication Code (MAC)

The security of this system lies in the secrecy of the secret key value. This value is always stored on the server, either in memory or in a configuration file (more on this later)—it is never written to the page. Without knowing the key, there would be no way for an attacker to compute a valid view state hash.

The configuration


The ValidationKey property is used when enableViewStateMAC is true to create a message authentication code (MAC) to enable ASP.NET to determine whether view state has been tampered with. The ValidationKey property is also used to generate out-of-process, application-specific session IDs to ensure that session state variables are isolated between applications.

Use the "AutoGenerate" option to specify that ASP.NET generates a random key and stores it in the Local Security Authority. The "AutoGenerate" option is part of the default value.

If you add the "IsolateApps" modifier to the "AutoGenerate" ValidationKey value, ASP.NET generates a unique encrypted key for each application by using each application's AppDomainAppVirtualPath. This is the default setting.

If you add the "IsolateByAppId" modifier to the "AutoGenerate" ValidationKey value, ASP.NET generates a unique encrypted key for each application by using each application's AppDomainAppId. If two distinct applications share a virtual path (perhaps because those applications are running on different ports), this flag can be used to further distinguish them from one another. The “IsolateByAppId” flag is understood only by ASP.NET 4.5, but it can be used regardless of the MachineKeySection.CompatibilityMode setting.

If you need to support configuration across a network of Web servers (a Web farm), set the ValidationKey property manually to ensure consistent configuration.

This property is typically set declaratively in the validationKey attribute of the machineKey element of the Web.config file.

For more information about the machineKey configuration, refer to <a title="How To: Configure MachineKey in ASP.NET 2.0" href="http://msdn.microsoft.com/en-us/library/ms998288.aspx" target="blank">http://msdn.microsoft.com/en-us/library/ms998288.aspx

The tools


Fiddler has build-in Text-Wizard to decode the base64 encoded view state string. You can go to Inspectors - WebForms - Right click ViewState in body listview - Choose Send to Text-Wizard

Another online ViewState decoder: http://ignatu.co.uk/ViewStateDecoder.aspx

Reference

Understanding ASP.NET View State


http://msdn.microsoft.com/library/ms972976.aspx

View State Security

http://msdn.microsoft.com/en-us/magazine/ff797918.aspx

How To: Configure MachineKey in ASP.NET 2.0

http://msdn.microsoft.com/en-us/library/ms998288.aspx

Troubleshooting the "View state is invalid" error with ASP.NET

http://support.microsoft.com/kb/829743

Validation of viewstate MAC failed after installing .NET 3.5 SP1

http://blogs.msdn.com/b/tess/archive/2009/04/14/validation-of-viewstate-mac-failed-after-installing-net-3-5-sp1.aspx

 

Fork me on GitHub