In order to help prevent CSRF attacks I have added the following code:
Protected Sub Page_Init(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Init
Page.ViewStateUserKey = Session.SessionID
And now I am getting an "Validation of viewstate MAC failed" error on many pages, in some cases consistently every time, even if my session is brand new (timeout is set to 2 hrs).
I also have code that auto-redirects to the login page after the session timeout limit is reached, so this happens while the session is still active. I also log all errors to the database with a session dump so I can see that the session was active (had data set on login page) when the error occurred.
When I remove the ViewStateUserKey setting, the error stops happening.
Why is this happening? I want to use the ViewStateUserKey setting but I don't want my users to have to deal with this error all the time.