ViewStateUserKey isn't preventing CSRF?

I suspect this is due to my test configuration, but I wanted to ask you folks for your thoughts. I was playing around with a quick test project. I had a simple forms auth page and an order page (two fields and a list to show "orders"). The order page was set to use Request.Form[] when retrieving parameters to prevent input from coming in as a GET operation.

I set ViewStateUserKey in Page_Init and explicitly set EnableViewStateMac to true (even though it defaults to that).

Then I made a .HTM that did a form post to my order page that sets values for the two fields (product and quantity). I should note, I didn't bother crafting a viewstate as part of the form submit. I did View Source on the real page in my browser, cut out everything but the form fields, added some javascript to set the field values and do the form.submit()

I logged in to the test project, and opened the .HTM. The .HTM successfully submitted the form and when I refreshed the order page, I could see the bogus order.

Why didn't ViewStateUserKey protect against this? Isn't it supposed to block that very type of attack? In this example, I did not tamper with viewstate, I simply made a page that did a normal form post, so is ViewStateUserKey ONLY there to protect against ViewState tampering (which strikes me as utterly worthless, or is this working because both pages are living on the same physical machine?

Did you include the original viewstate field in the test page? If you copied a valid viewstate for a particular user, and then submitted it as that user, then yes, you would expect it to just work.

The ViewStateUserKey feature only prevents you from taking a ViewState created from your own user and using it in a submission made inadvertently by another user.