I've implemented a possible fix for ASP.NET 4.0 by creating a custom crypto algorithm which uses AES + SHA256 hash.
This way it is not easily possible to create new valid requests. The hash function will sort out the majority of the requests as being invalid. Even if the attacker has the machine key, the attacker also needs the secret hash key to encrypt custom data.
If someone is interested:
View Complete Post