Disabling Anti-XSRF token validation in ASP.NET web forms redirects to login page on IIS and IE


We are using new ASP.NET Web forms template in new VS 2012. Because we had some problems on IIS, with this error:

"System.Web.HttpException (0x80004005): Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster. ---> System.Web.UI.ViewStateException: Invalid viewstate."

Then we made this changes to web.config:

<pages validateRequest="false" enableEventValidation="false" viewStateEncryptionMode ="Never" enableViewStateMac="false" > ... </pages>

but, then we got the error: "Validation of Anti-XSRF token failed."

We then commented all the code in Site.Master.cs, regarding Anti-XSRF token validation (because site is used on intranet), however now we cannot login using IE (in Chrome and Firefox works), because after login (which is succesfull in log), it redirects to login page again, but the user is logged in.

UPDATE I tried all of the solutions from here and it doesn't work: http://blogs.msdn.com/b/tom/archive/2008/03/14/validation-of-viewstate-mac-failed-error.aspx. Lastly, I tried also with: in web.config, but then i get the error: System.InvalidOperationException: Validation of Anti-XSRF token failed. Still, there is no solution.

UPDATE 2 Is there a proper way to disable Anti-XSRF token validation in new ASP.NET Web Forms template project ?

asked on Stack Overflow Oct 9, 2013 by Milan • edited Oct 9, 2013 by Milan

1 Answer


Instead of disactivaving all the security features of ASP.NET (which is NOT advised at all), you should rather focus on solving the actual error.

System.Web.HttpException (0x80004005): Validation of viewstate MAC failed is a common error. To solve it, you have to define a machinekey to use in your web.config file. This is usually due to the fact that you have two different keys across postback. Defining one in the web.config will most likely solve the issue (do not forget to reactivate security features like viewstate encryption). You can generate one here: http://aspnetresources.com/tools/machineKey

See this post for an example: https://stackoverflow.com/a/6260201/375304 (but do NOT use the same key).

Also, have look at this link, it might be helpful to understand ASP.NET security features related to the machinekey. http://msdn.microsoft.com/en-us/library/ff649308.aspx

UPDATE: If any of this doesn't work, try the following (source):

Another solution based on #3 above, special thanks to Alex for posting this in the comments below. He wrote a small class called BasePage that fixes the issues, so you just have to extend your page from BasePage instead of Page:

public class BasePage : Page
  private static string[] aspNetFormElements = new string[] 

  protected override void Render(HtmlTextWriter writer)
    StringWriter stringWriter = new StringWriter();
    HtmlTextWriter htmlWriter = new HtmlTextWriter(stringWriter);
    string html = stringWriter.ToString();
    int formStart = html.IndexOf("<form");
    int endForm = -1;
    if (formStart >= 0)
      endForm = html.IndexOf(">", formStart);

    if (endForm >= 0)
      StringBuilder viewStateBuilder = new StringBuilder();
      foreach (string element in aspNetFormElements)
        int startPoint = html.IndexOf("<input type=\"hidden\" name=\"" + element + "\"");
        if (startPoint >= 0 && startPoint > endForm)
          int endPoint = html.IndexOf("/>", startPoint);
          if (endPoint >= 0)
            endPoint += 2;
            string viewStateInput = html.Substring(startPoint, endPoint - startPoint);
            html = html.Remove(startPoint, endPoint - startPoint);

      if (viewStateBuilder.Length > 0)
        viewStateBuilder.Insert(0, "\r\n");
        html = html.Insert(endForm + 1, viewStateBuilder.ToString());

answered on Stack Overflow Oct 9, 2013 by Superzadeh • edited May 23, 2017 by Community

User contributions licensed under CC BY-SA 3.0