I currently have an intermittent issue where users receive the error message in the title of this post:
System.Web.UI.ViewStateException Invalid viewstate. Client IP: 127.0.0.1 Port: xxx Referer: xxx
I've finally managed to replicate this in our Development environment and it appears to be related to posting a form back after a period of 20 minutes of inactivity.
I initially thought it was the session timing out causing the problem but apparently not.
I found the following post:
This suggests that ViewState encryption keys have a finite lifetime and by default are set at server level to:
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps"
validation="SHA1" decryption="Auto" />
The strange thing is that this doesn't happen for all users concurrently so it's not the app pool recycling.
Does anyone know if a key is generated per user session?
I have managed to fix this error my adding a static machine key config as suggested
<machineKey validationKey="9664D19D67A5EE43FE77CD2B660A57DF254B15714935DDDDAAC94BC66C5C398F894380AD56572C8762A1AB116B9070C7ACC7F32B489D23476CEA909448831AF3"
decryptionKey="CAD9BBC02543433C50CD4A11EA706F0F25FCD51F28E9DEAF20361F0AA2AB3793"
validation="SHA1"
decryption="AES"
/>
Is this a safe thing to do in a production environment? Wanted to double check as the application has been running for around 10 years and is a global change I'm reluctant to make without knowing the pros and cons.
Thanks in advance.
This is suggested for web farms so I see no reason why it would be a problem for a single instance of a web app.