ASP.NET MVC Validation of ViewState MAC failed

Question

After publishing a new build of my ASP.NET MVC web application, I often see this exception thrown when browsing to the site:

System.Web.Mvc.HttpAntiForgeryException:

Answer 1

Under the covers, the MVC AntiForgeryToken attribute uses the machinekey for encryption. If you don't specify a machinekey in the web.config (see here), one is automatically generated for you by ASP.NET (full description).

If the ASP.NET application is restarted (e.g. do an iisreset), the AntiForgeryToken within the browser cookie will still be encrypted with an old machine key, hence why it crashes with the above error.

So you should always specify a machinekey in your web.config when using MVC, e.g.

    
        
    ...