Solved: ASP.NET application generates a new session ID after every postbacks

You need to keep the same session ID for the same visitor in the same connection. If session ID changes in between page redirection, It will probably break your code especially if you are using session ID to improve ViewState complexity such as the example below:

Page.ViewStateUserKey = Session.SessionID;

Solution

  1. Make sure you don’t create session cookie repeatedly. If the line that you create session cookie is executed between postbacks, you will end up having a different session ID since the session cookie is recreated.

    Response.Cookies.Add(new HttpCookie("id", ""))
  2. Make sure you don’t generate session ID repeatedly. An example line of session ID creation:

    objManageSession.CreateSessionID(this.Context);
  3. Assign a dummy value to your session cookie in Global.asax (See details here)

    protected void Session_Start(object sender, EventArgs e)
    {
         // It adds an entry to the Session object so the sessionID is kept for the entire session
         Session["init"] = "session start";
    }
  4. Assign a dummy value to your session cookie in Page_Load method of homepage:

    protected void Page_Load(object sender, EventArgs e)
    {
         Session["init"] = "session start";
    }

It’s working in server but not in localhost?

In your web.config file, change the value of httpOnlyCookies and requireSSL parameters to false. If you keep them in true, local server will force application to regenerate session between page redirections. Make sure to switch these values back to true before you migrate your code to the server.

<httpCookies httpOnlyCookies="false" requireSSL="false"/>

Solved: “Validation of viewstate MAC failed”

You may come across this error message when you get around in pages of your ASP.NET website:

Validation of viewstate MAC failed. If this application is hosted by a Web Farm or cluster, ensure that <machineKey> configuration specifies the same validationKey and validation algorithm. AutoGenerate cannot be used in a cluster.

Background

ASP.NET uses view-state variable to rebuild pages after post-backs. The text of your buttons and the value of the form fields are the examples that this variable stores.

In order to prevent tempering attacks that try to play around with view-state data to force your webpage behave unexpectedly, web server validates the view-state data between page redirections. If the data doesn’t match, you receive the error message above.

Solution

The issue of unmatched view-state data could be related to server configuration or session cookie. Here are the most common root causes:

  • Web server and application pool configuration related issues. Read details in this Microsoft Support article
  • If you are using ViewStateUserKey to prevent Cross-site Request Forgery (CSRF) attacks, make sure the value you assign to this variable is the same in all pages. The most common usage is that assigning session ID or username to ViewStateUserKey. Your website might be losing the session between page redirections. Check these two StackOverflow topics for details: Link 1link 2
  • Redirecting the page right after setting session variables may be the issue. You should avoid using Response.Redirect in this case. Details
  • Antivirus software might be causing the issue. Add scanning exceptions for IIS and your application’s folders. Details