MachineKey in web.config

There are few scenarios that you want to add MachineKey into your web application’s web.config:

  1. You have a web farm and in each server the machine.config set to auto generate machinekey.
  2. You want to use “Encyrpted” password format in ASP.NET membership provider.
  3. You get intermittent error of  “Validation of viewstate MAC failed…..”

To fix problem #3,  you can also set one of all these in the <page settings:

<page enableEventValidation=”false” viewStateEncryptionMode=”Never” enableViewStateMac=”false”

However you have to be aware of the risk of this change, as it opens door for ViewState value tampering. (Joteke has an intersting finding on large pages having gridview control. Basically in this case, you have to set above values for avoid the error, which is casued by the position of a hidden field containing some encrypted  information.)

Here are 2 online tools to generate the random machine key for you:  this and this. A sample MachineKey node:

validation=”SHA1″ decryption=”AES”

The <machineKey> should be put inside <system.web> section.

Please refer to MSDN for documentation:  syntax and overview.

This entry was posted in ASP.NET and tagged . Bookmark the permalink.

8 Responses to MachineKey in web.config

  1. Wow…

    This post finally solved My Application Errors on: “Validation of viewstate MAC failed” and suddenly getting user logged out from application and redirected to Login Page.

    Thanks a lot!!!

  2. This post saved me from padding errors.

  3. jacob says:

    thank you so much, i’m on shared hosting and tried to use nopcommerce – your article is what i needed to fix it!!

  4. Jay says:

    This worked for me as well. I was getting a similar WebException along the lines of “Validation of data failed”. I was not even using viewstate, only the FormsAuthentication Cookie for authentication.

    Right after my dedicated server recycled the application pool, it causes the exception. After entering the machineKey in my web.config using the machineKey generator mentioned above, it solved my problems.

    Thanks Dude,

  5. shrikant says:

    Hi All,

    i have created an application and this application is deployed on farm-server where load balancing is enabled and sticky session is also used.

    when request come from single server in that time its working fine but during the post back if request server is changed in that time it throws an exception “Key not valid for use in specified state”.

    i have tried to set same machine key on both server but still facing same problem.

    my working enviornment is 3.5,IIS 7.0 and Active Directory

    Please any one can suggest me ?

    thanks in Advance.

  6. shadowboxer says:

    I’m having the same proble as shrikant.. Any help would be appreciated. Thank you

  7. Vinny Tang says:

    Hi, I was wondering if changing the machine key causes some other problems w/in sharepoint? Someone mentioned perhaps Office Web Apps maybe a problem?

  8. peter says:

    I have two site running on same server with different port. One on :8080 and other is :8081. When user log in to :8080 and try to open other site on 8081. He automatically log-in to that site. Without entering his Username and password. I am wondering how to prevent that to not happen,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s