FAQ: How do I create a machine key?

Version: AbleCommerce Asp.Net

Last Update: 11/22/17

When should I create a machine key? My website is running in "medium trust" and I'm receiving viewstate errors.

In most cases, you will NOT have to create a machine key. This is generally required if you are hosted in a "medium" trust environment. You may be experiencing symptoms like having to continuously login more than once in a 20 minute standard session. You may also experience MAC validation errors like the example below.

Validation of viewstate MAC failed. If this application is hosted by a web farm or cluster, ensure that machine key configuration specifies the same validation algorithm. Autogenerate cannot be used in a cluster.

If this happens, you can follow the steps in the section below, "Creating a Machine Key". It some cases, this still may not solve the viewstate errors, in which case, you may need to disable viewstate for the application or for a single page.

How does the "viewstate" error happen?

One way this can happen is if a person clicks something on the page before the page is totally loaded up. That can sometimes be the reason it happens sporadically. To expand on what might be the cause, it's a known problem with ASP.NET. The view state validation information is put at the end of the output by Microsoft. So if you have a page that takes a second or two to fully load up, the browser might already be showing the parts of the page it knows about. That might include buttons or links. So if the person viewing the site clicks on things before the browser has fully loaded the viewstate information, it sends a request back to the server without it.

Creating a Machine Key

The database.config and encryption.config files are saved in an encrypted form, so that your connection string and encryption key remain protected. If you are installing AbleCommerce to a web farm or clustered environment, you must take additional steps so that this file encryption will work properly.

You may experience a problem with having to continuously login. You may also experience MAC validation errors. If this happens, follow the steps below:

Visit this URL: http://aspnetresources.com/tools/keycreator.aspx
The default values for key generation are correct (64/24/SHA1), click Generate
Copy the resulting machine key.
Open the web.config for the store, and paste the copied machine key after the line that says

<system.web>
Save web.config and restart the IIS application service.

When you don’t specify the machine key in web.config, ASPNET automatically generates one for the application. If something causes the application to recycle, the key is regenerated. If the application recycles between requests, then any data that was downloaded by the browser was recorded with the first key, and validated with the second. This turns into the MAC validation error, because the keys are not the same. This is why the error mentions clustered environments, because the same issue occurs if you move from one server to another between requests.

When you set the key in the web.config file, ASPNET uses this key rather than auto generating. That ensures that even if an application recycle takes place, the validation will be correct. This is used for things like session cookies, authentication, viewstate validation, event validation, and so on.

How to disable Viewstate for the application

Note: You should disable viewstate only when a machine key fails to solve the validation of viewstate errors.

In AbleCommerce, we don't store sensitive information in the viewstate... nor do we rely on it for decisions. It should be safe to disable the mac validation feature of asp.net. To do this, complete modify the web.config file as shown below.

Change from -

<pages theme="AbleCommerce" enableEventValidation="false" validateRequest="false">

Change to -

<pages theme="AbleCommerce" enableEventValidation="false" validateRequest="false" enableViewStateMac="false">

This disables the MAC validation for all pages. If desired, and if you know that the problem always occurs on a specific page, you can disable the validation specifically for that page by editing the .aspx file. In the top is this line of code. Using the example,

Change from -

<%@ Page Language="C#" MasterPageFile="~/Layouts/Scriptlet.master" Inherits="CommerceBuilder.Web.UI.AbleCommercePage" Title="Checkout" %>

Change to -

<%@ Page Language="C#" MasterPageFile="~/Layouts/Scriptlet.master" Inherits="CommerceBuilder.Web.UI.AbleCommercePage" Title="Checkout" enableViewStateMac="false" %>

A division of Able Solutions Corporation, headquarters located in Vancouver, WA