You can “tamper-proof” your viewstate to reduce the likelihood of someone trying to spoof your application by setting the EnableViewStateMAC attribute. If necessary you can encrypt it too.
However, by default, ASP.NET creates a random validation key and stores it in each server’s Local Security Authority (LSA). In order to validate a ViewState field created on another server, the validationKey for both servers must be set to the same value. If you secure ViewState by any of the means listed above for an application running in a Web Farm configuration, you will need to provide a single, shared validation key for all of the servers.
Q313091 HOW TO: Create Keys by Using Visual Basic .NET for Use in
Forms Authentication shows how to generate keys for use in
the validationKey and the
decryptionKey attributes of the