This is how the exception can be reproduced on a secure HTTPS web site, 1. Hit a secure HTTPS page - HTTP GET, hidden input __EVENTVALIDATION = 'jkdlsfjalfdsja' 2. Hit a button on the page - HTTP POST 3. Server responds with 302 redirect - HTTP GET, hidden input __EVENTVALIDATION = 'dfjkslaiowed' 4. Hit Back button, page is refetched - HTTP GET, hidden input __EVENTVALIDATION = 'dfjkslaiowed' 5. Hit a button on the page - HTTP POST, traffic sniffer shows __EVENTVALIDATION = 'jkdlsfjalfdsja', while it should be __EVENTVALIDATION = 'dfjkslaiowed'
This issue was fixed very recently. *** This bug has been marked as a duplicate of bug 26241 ***