One click attack normally occurs when attacker creates a prefilled web page(.htm or .aspx) with view state. The view state is generated from a previously created page. ex. shopping cart page with say 50 items. The attacker then lures unsususpecting user to browse the page and causing the page to be sent to server where view state is valid.
To prevent this kind of attack in .NET, use Page.ViewStateUserKey in Page_Init event with unique value per user such as username or configured in web.config.