From a newsgroup post: "In ASP.NET 2.0, in addition to ViewState, the webresource.axd generated URL string has identities that were encrypted using the machinekey setting. And these encrypted values are not valid forever, it will expire and become invalid after long time. Therefore, if a page postback after a long time, it is possible that the embeded viewstate info or the certain webresource.axd URL become invalid which will also raise the error. This is mostly found in some internet based web applications since there are some users who will use some old URLs (expired), such as the one in Google cache to visit the certain application and will cause application raise such validation error. If your application is in internet environment, you can add some code in the Application_Error event and check whether the CryptographicException is from some particular client agents. In addition, you can check in the Application_Error event to see whether the exception is always occurring against some specific pages". See the link to ".net newsgroups Topic 34075" for the original post.