We have an application that is persisting ViewState to a SQL database and
thus all of our pages only have a GUID for the view state hidden field. We
are also getting ViewStateMac errors under certain conditions, like using the
Back button, which we seem to not have control over.

1. A user can not do ViewState injection since WE are storing the viewstate
server side. (At best, they could only replace the GUID with a different one
and the odds of them finding an unexpired GUID is worse than winning the
lottery...)
2. My understanding of ViewStateMac is that it is a Digest of the ViewState,
plus some secret key stuff.

So, (finally), my question is, from a security standpoint, how necessary is
it to use ViewStateMac when the content of the ViewState is not going back to
the user?

Thanks in advance.