|There are several conditions that may cause this issue. Each known condition is presented with a short explanation and a possible workaround.
1. Application Pool Recycling
2. Server Farms or Server Clusters
3. Form Posts
4. Proxy servers and Virus Scanners
Viewstate represents the state of the page when it was last processed on the server. The contents of the page are stored in a container and moved to and from the server on each request. By default, ASP.NET validates the contents of viewstate to ensure that it has not been tampered. If this validation test fails, an invalid viewstate exception is thrown. Some known issues that cause this test to fail are listed below.
Application Pool Recycling:
IIS 6 will periodically recycle the application pool to maintain the health of the application pool. At the instance when the application pool is being recycled, browser requests may sometimes result in an invalid viewstate error. The fix in this case is to adjust the settings on the application pools so that recycling is less likely to occur at peak periods. This issue represents a bug since the application pool is supposed to gracefully handle this condition.
Server Farms or Server Clusters:
Applications running in a server cluster must have all the machineKey configurations set to the same validationKey. The default autogenerate key cannot be used in a cluster environment. The registry keys responsible for autogeneration are listed here:
When the machineKey is set to AutoGenerate, the key information is stored in the HKEY_CURRENT_USER hive for the account running the process. For W2k3 servers, this is the Network Service account. Otherwise, the account is ASP.NET machine account. When the process launches, ASP.NET will use the HKEY_CURRENT_USER registry key if it is available. If this key is not available, the
HKEY_LOCAL_MACHINE key will be used. If neither registry key exists, the process creates the key in the HKEY_LOCAL_MACHINE hive. If these conditions fail, the process creates a brand new set of keys.
When the application pool is running under a user account, the above keys are not generated leading to an intermittent invalid viewstate error.
The workaround is to use a specific key in the machine.config to prevent automatic key generation on each process start. The key must be exactly 128 bits made up of random characters and inserted into the configuration file on each webserver experiencing the problem.
Viewstate can only be posted back to the same page. Attempting to post an aspx form to another page will fail with a viewstate invalid exception. This behavior is by design.
One other remedy involves disabling the Machine Authentication Check. Unless, you implement a back up authentication mechanism, you should refrain from this approach. Machine Authentication Checks are important in reducing the attack surface of ASP.NET applications.
Proxy servers and Virus Scanners:
A firewall and/or antivirus software can tamper with the viewstate resulting in an invalid viewstate exception being thrown.