ASP.NET 2.0 and "Validation of ViewState Mac failed" exception

If you get this?Exception

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]

and

• you know *for sure*?that you aren't using a web farm
• it seems that it appears when using built-in databound controls such as GridView, DetailsView or FormView which utilize DataKeyNames.
• it appears if you have a large page which?loads slowly for any reason

If following preconditions are true and you click a postbacking control/link while the Page hasn't loaded completely, you might get?the "Validation of ViewState MAC failed"??exception. In this case be sure to check following post on ASP.NET Forums where this has been discussed quite thoroughly : http://forums.asp.net/1173230/ShowPost.aspx

It?appears because GridView using DataKeyNames requires ViewState to be encrypted. And when ViewState is encrypted, Page adds??<input type="hidden" name="__VIEWSTATEENCRYPTED" id="__VIEWSTATEENCRYPTED" value="" /> field just before?closing of the <form> tag. But this hidden field might not bet yet rendered to the browser with long-running pages, and if you make a postback before it "gets down", browser?initiates postback without this field (in form post collection)

End result is that if this field is omitted on postback, Page doesn't "know" that?viewstate is encrypted and causes the prementioned Exception. E.g Page expects to be fully-loaded before you can make a postback. And by the way similar problem is with event validation since __EVENTVALIDATION field is also rendered on the end of the form.

A?way to overcome the problem is to set in web.config pages enableEventValidation="false" viewStateEncryptionMode ="Never" />Just note the security implications of these!
在預設狀況ASP.NET會隨機建立manchineKey當作驗證碼，
<configuration>
<system.web >
<machineKey validationKey = "AutoGenerate,IsolateApps"
decryptionKey = "AutoGenerate,IsolateApps" validation = "SHA1"/>
</system.web>
</configuration
若你有兩臺Web Server，當另一臺要驗證ViewState時，
validationKey或decryptionKey必須是相同的，所以必須自行產生validationKey後，
才能以相同的驗證碼來處理ViewState甚至cookie等。

產生驗證碼的方法如下:

string validationKey = GetKey(30); //20~64均可
string decryptionKey = GetKey(30); //20~64均可

protected string GetKey(int Keylen)
{
byte[] bytes = new byte[Keylen];
new RNGCryptoServiceProvider().GetBytes(bytes);
StringBuilder Builder = new StringBuilder();
for (int i = 0; i < bytes.Length; i++)
{
Builder.Append(string.Format("{0:X2}", bytes[i]));
}
return Builder.ToString();
}

產生後即可在每臺Web Server網站的Web.Config加上<machineKey>即可，如下
<configuration>
<system.web>
<machineKey validationKey="3FF1E929BC0534950B0920A7B59FA698BD02DFE8"
decryptionKey="280450BB36319B474C996B506A95AEDF9B51211B1D2B7A77"
decryption="3DES" validation="SHA1"/>
</system.web>
</configuration>