If your MachineKey is set to AutoGenerate, then your verification tokens, etc won’t survive an application restart – ASP.NET will generate a new key when it starts up, and then won’t be able to decrypt the tokens correctly.
If you are seeing this a lot, I’d suggest:
- Configuring a static MachineKey (you should be able to do this at the application level), see “How to: Configure a MachineKey” for more information
- Try not to perform IIS Resets when the site is being used1
1 The best way to do this is by having a loadbalanced application, which will require you to set a static MachineKey. Another option is to take the site down by placing a file named app_offline.htm
in the root of the site, which will take the site offline and display your message – at least the users will expect things to go wrong.