I am working with a customer who reported an issue recently with one of our applications they deployed to a hardware load balanced web farm. The error itself is quite straightforward.
Exception occurred in System.Web: Invalid viewstate
This obviously has something to do with the load balancing switching between servers but what’s the best way to handle it? The error itself is caused because ASP.NET thankfully performs a check—called a machine authentication check (MAC)—when ViewState data is posted to a server. This helps protect against scenarios where a malicious client might tamper with ViewState data and try to post harmful data to the server.
The MAC works great except when you have more than one server…then it causes problems because the private machine keys are different among the servers in the farm. You have two main approaches to address this.
- Turn off the MAC check by setting enableViewStateMac=”false” in your Web.config or pages for each web server. I don’t recommend this approach unless you have an internal non-public facing scenario.
- Use the same machineKey attribute value in the Web.config for all servers in the farm. Check out this article for a great set of instructions to set the machineKey to the proper value. I highly recommend this approach for public-facing web farms.
Check out the other great resources here for more information about load balancing an ASP.NET web application that uses ViewState.