Web Farms and ASP.NET ViewState

Jeff Atwood

Jeff Atwood

2 min read Comments

If you deploy ASP.NET websites to a web farm, you may run into this perplexing System.Web.HttpException:

The viewstate is invalid for this page and might be corrupted

If you’ve installed ASP.NET 1.1 service pack 1, you may also get a much more helpful exception from System.Web.UI.LosFormatter.Deserialize:

Authentication of viewstate failed. 1) If this is a cluster, edit configuration so all servers use the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. 2) Viewstate can only be posted back to the same page. 3) The viewstate for this page might be corrupted.

So clearly there’s a problem with the ASP.NET viewstate.

As pointed out in Rich Crane’s blog entryASP.NET ViewState is tied to the particular server it came from by default even though the documentation says it isn’t. So when ViewState generated on server A is POST-ed back to server B, you’ll get this exception. Somewhere in the pipeline, the viewstate is salted with a unique, autogenerated machine key from the originating server’s machine.config file:

<!--  validation="[SHA1|MD5|3DES]" -->
<machineKey validationKey="AutoGenerate,IsolateApps"
decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/>

This is done to prevent users from somehow tampering with the ViewState. Any change to the ViewState data on the client will be detected. But this has a side effect: it also prevents multiple servers from processing the same ViewState. One solution is to force every server in your farm to use the same key – generate a hex encoded 64-bit or 128-bit <machineKey> and put that in each server’s machine.config (note that this key is bogus and shown only for illustration; don’t use it):

<!--  validation="[SHA1|MD5|3DES]" -->
<machineKey validation="SHA1"
validationKey="F3690E7A3143C185A6A8B4D81FD55DD7A69EEAA3B32A6AE813ECEEC" />

Or – and I think this is the easier approach – you can disable the keying of viewstate to a particular server using a simple page directive at the top of your .aspx pages:

<%@ Page Language="vb" AutoEventWireup="false" Codebehind="MyPage.aspx.vb"
Inherits="MyAssembly.MyPage" enableViewStateMac="False" %>

Alternately, you can modify the pages element in Web.config:

<system.web>
<pages enableViewStateMac="false" />
</system.web>

Either way, works great. Who needs all that stupid security anyway?

asp.net web farms viewstate cluster serialization

Related posts

My Scaling Hero

Inspiration for Stack Overflow occasionally comes from the unlikeliest places. Have you ever heard of the dating website, Plenty of Fish? Markus Frind built the Plenty of Fish Web site in 2003 as nothing more than an exercise to help teach himself a new programming language, ASP.NET. The site

By Jeff Atwood ·
Comments

Wrangling ASP.NET Viewstate

Inspired by Scott Hanselman's recent post on ASP.NET viewstate wrangling [http://www.hanselman.com/blog/MovingViewStateToTheBottomOfThePage.aspx], here's a roundup of tips for dealing with that ornery viewstate stuff. The first rule of thumb, of course, is to turn it off whenever you can. But

By Jeff Atwood ·
Comments

Recursive Page.FindControl

I’m currently writing my first ASP.NET 2.0 website. VS.NET 2005 is worlds better than VS.NET 2003, but I was mildly surprised to find that Microsoft still hasn’t added a recursive overload for Page.FindControl. So, courtesy of Oddur Magnusson, here it is: private Control

By Jeff Atwood ·
Comments

ASP.NET NTLM Authentication - is it worth it?

At work, we have the luxury of assuming that everyone’s on an intranet. So when it comes to identity management on our ASP.NET websites, NTLM authentication is the go-to solution. Why trouble the user with Yet Another Login Dialog when you can leverage the built in NTLM functionality

By Jeff Atwood ·
Comments

Recent Posts

Let's Talk About The American Dream

Let's Talk About The American Dream

A few months ago I wrote about what it means to stay gold — to hold on to the best parts of ourselves, our communities, and the American Dream itself. But staying gold isn’t passive. It takes work. It takes action. It takes hard conversations that ask us to confront

By Jeff Atwood ·
Comments
Stay Gold, America

Stay Gold, America

We are at an unprecedented point in American history, and I'm concerned we may lose sight of the American Dream.

By Jeff Atwood ·
Comments
The Great Filter Comes For Us All

The Great Filter Comes For Us All

With a 13 billion year head start on evolution, why haven’t any other forms of life in the universe contacted us by now? (Arrival is a fantastic movie. Watch it, but don’t stop there – read the Story of Your Life novella it was based on for so much

By Jeff Atwood ·
Comments
I Fight For The Users

I Fight For The Users

If you haven’t been able to keep up with my blistering pace of one blog post per year, I don’t blame you. There’s a lot going on right now. It’s a busy time. But let’s pause and take a moment to celebrate that Elon Musk

By Jeff Atwood ·
Comments