The anti-forgery cookie token and form field token do not match in MVC 4

Question

I'm using the default login module in ASP.NET MVC 4. I did not change any code in the default application and i hosted it on a shared server.

After i logged in using default login page. i kept the browser idle for some time. Then obviously application redirected to the login page when i try to perform any controller action with [Authorize] attribute.

Then i try to login again and it gives an error when i click on login button.

The anti-forgery cookie token and form field token do not match.

LogIn action

// POST: /Account/Login

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public ActionResult Login(LoginModel model, string returnUrl)
        {
            if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
            {
                return RedirectToLocal(returnUrl);
            }

            // If we got this far, something failed, redisplay form
            ModelState.AddModelError("", "The user name or password provided is incorrect.");
            return View(model);
        }

Answer 1

In my case, I was providing form token to cookie token parameter and vice versa.

Answer 2

In my case it was related to multiple cookie values set by domain site and subdomain site.

• main.com set __RequestVerificationToken = 1
• sub.main.com set __RequestVerificationToken = 2

but when request to sub.main.com was sent it used __RequestVerificationToken = 1 value from main.com

Answer 3

In My case "We found that the Site cache was enabled and due to this “anti-forgery” token value was not updating every time, after removing this cache form is submitting."

Answer 4

I resolved the issue by explicitly adding a machine key in web.config.

Note: For security reason don't use this key. Generate one from https://support.microsoft.com/en-us/kb/2915218#AppendixA. Dont use online-one, details, http://blogs.msdn.com/b/webdev/archive/2014/05/07/asp-net-4-5-2-and-enableviewstatemac.aspx

 <machineKey validationKey="971E32D270A381E2B5954ECB4762CE401D0DF1608CAC303D527FA3DB5D70FA77667B8CF3153CE1F17C3FAF7839733A77E44000B3D8229E6E58D0C954AC2E796B" decryptionKey="1D5375942DA2B2C949798F272D3026421DDBD231757CA12C794E68E9F8CECA71" validation="SHA1" decryption="AES" />

Here's a site that generates unique Machine Keys:

http://www.developerfusion.com/tools/generatemachinekey/

Answer 5

Another reason for having this error is if you are jumping between [Authorize] areas that are not cached by the browser (this would be done on purpose in order to block users from seeing protected content when they sign out and using the back button for example).

If that's case you can make your actions non cached, so if someone click the back button and ended up on a form with @Html.AntiForgeryToken() the token will not be cached from before.

See this post for how to add [NoCache] ActionFilterAttribute: How to handle form submission ASP.NET MVC Back button?

Answer 6

For me, this was caused by submitting a form using a button tag. Changing this to an input submit tag resolves the issue.

Answer 7

I had this problem for a long time and assumed it was something wrong with ASP.NET.

In reality, it was the server. I was with WinHost then, and they have a 200MB memory limit. As soon as I had ~20 users on at the same time, my limit was reached. At this point, everyone was logged out and yielded these issues.

Answer 8

make sure you put the @Html.AntiForgeryToken() in your page's form