I've been getting quite a few errors from dasBlog recently with invalid viewstate. After chatting with Scott Hanselman about possible causes, we've narrowed it down to two possiblities:
- someone is tampering with my site
- IIS is recycling whilst a postback occurs
The IIS recylcing sounds more likely, although I'm actually hosting this site on Windows 2000 with IIS5 which I didnt think recycled ever 20 minutes like IIS6.
Anyhow to rule that out I've set a manual machineKey for my dasBlog application: here's an example:
<machineKey
validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D7
AD972A119482D15A4127461DB1DC347C1A63AE5F1CCFAACFF1B72A7F0A281B"
decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
validation="SHA1"
decryption="AES"
/>
That way if IIS does cycle during a request we should also use the same keys instead of getting new AutoGenerated ones. The same principle applys if you are using a web farm. Different servers might serve the inital request from the postbacks.
BTW: if you need to generate those keys above, here's some code:
using System;
using System.Text;
using System.Security;
using System.Security.Cryptography;
class App {
static void Main(string[] argv) {
int len = 128;
if (argv.Length > 0)
len = int.Parse(argv[0]);
byte[] buff = new byte[len/2];
RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
rng.GetBytes(buff);
StringBuilder sb = new StringBuilder(len);
for (int i=0; i<buff.Length; i++)
sb.Append(string.Format("{0:X2}", buff[i]));
Console.WriteLine(sb);
}
}