Error on MVC application debug : Validation of viewstate MAC failed

Question

Starting form now, for the first time, I am getting this error when I start debugging my MVC application

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Full stack trace

[ViewStateException: Invalid viewstate. 
    Client IP: 127.0.0.1
    Port: 
    Referer: 
    Path: /Login/LogOn
    User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/534.7 (KHTML, like Gecko) Chrome/7.0.517.41 Safari/534.7
    ViewState: Fvq7WNUu+qCC00VbTIOTUuBvK4YHjxp3RubwsrFYW93hKlF7I4GLzaNHceRqjjJB0GwvRPWwlwE6brhAZAo+Mp191B/C+l8Dw/w7aQBDCpWGC3ox6hkSeZp10vbjm9eJFQZmGSPyC1rKYwApBBaz0Q==]

[HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.]
   System.Web.UI.ViewStateException.ThrowError(Exception inner, String persistedState, String errorPageMessage, Boolean macValidationError) +198
   System.Web.UI.ViewStateException.ThrowMacValidationError(Exception inner, String persistedState) +14
   System.Web.UI.ObjectStateFormatter.Deserialize(String inputString) +274
   System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState) +4
   System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken) +176

What does this means?

Please note: the error happens only during debug. When I deploy the app on local IIS everything works. It appears on the following code in my master page

<form id="__AjaxAntiForgeryForm" action="#" method="post">
    <%= Html.AntiForgeryToken() %>
</form>

Answer 1

The immediate reason why this is happening is because of the antiforgery cookie getting invalidated. Closing and reopening the browser should fix the issue. You could alternatively try deleting the cookie associated with your test site.

Now for the underlying cause, this usually happens either because

• you are in a web farm scenario and your various servers are not confiured the same way (but you're saying that's not the case)
• the application changes the autogenerated MAC because of changes you are making to your apps configuration
• you recently applied a patch to fix the Asp.Net ViewState encryption vulnerability (which changed the way that encryption is performed in asp.net).

Any of this sound familiar?