Home/ Questions/Q 249985
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-11T21:28:23+00:00

I keep getting errors like this on one of my sites. It tends to

  • 0

I keep getting errors like this on one of my sites. It tends to happen randomly throughout the day any for periods in the night when I would not expect users on the site.

It is always from different ip addresses

System.Web.HttpException: Invalid
viewstate. at
System.Web.UI.Page.DecryptStringWithIV(String
s, IVType ivType) at
System.Web.UI.Page.DecryptString(String
s)

or

System.Security.Cryptography.CryptographicException:
Padding is invalid and cannot be
removed. at
System.Security.Cryptography.RijndaelManagedTransform.DecryptData(Byte[]
inputBuffer, Int32 inputOffset, Int32
inputCount, Byte[]& outputBuffer,
Int32 outputOffset, PaddingMode
paddingMode, Boolean fLast) at
System.Security.Cryptography.RijndaelManagedTransform.TransformFinalBlock(Byte[]
inputBuffer, Int32 inputOffset, Int32
inputCount) at
System.Security.Cryptography.CryptoStream.FlushFinalBlock()
at
System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean
fEncrypt, Byte[] buf, Byte[] modifier,
Int32 start, Int32 length, IVType
ivType, Boolean useValidationSymAlgo)
at
System.Web.UI.Page.DecryptStringWithIV(String
s, IVType ivType) at
System.Web.UI.Page.DecryptString(String
s)

They happen in this page:

 ScriptResource.axd?d=VVe1O4rzLSI9hB5nRzBXZxUYTQz6ylDTL9djGR

The site users Ajax and runs on .NET 3.

Is this someone trying to hack into the site? Is it an error with the html on the site?

Any ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I believe this error is caused by your ViewState being decrypted using an out-of-date ViewStateUserKey.

    Removing these errors is a two-step process:

    1. Ensure you have a site-specific validation key. You can use several online resources to generate one for you, such as this one.
    2. Ensure the page’s ViewStateUserKey is always consistent. From the MSDN documentation:

    Setting the ViewStateUserKey property can help you prevent attacks on your application from malicious users. It does this by allowing you to assign an identifier to the view-state variable for individual users so that they cannot use the variable to generate an attack. You can set this property to any string value, such as the user’s session ID or the user’s authenticated name.

    You can do this by setting it yourself (perhaps in your Page or base Page’s Init event):

    if (Session["ViewStateUserKey"] == null)
{
    Session["ViewStateUserKey"] = new Guid().ToString();
}    
this.Page.ViewStateUserKey = Session["ViewStateUserKey"].ToString();

    And no, I don’t think you’re being hacked.

    • 0