Reputation: 757
Intermittent error thrown, "A required anti-forgery token was not supplied or was invalid."
I'm occasionally getting this error during normal use, and I've not found a way to stop it without removing the attribute that requires the token, which I'd rather not do.
I've gotten this bug during my own testing (but seemingly randomly) and I know from my logging that actual logged-in users are getting it as well.
Does anyone know what would cause the antiforgerytoken system to break (other than a real attack), and how I could fix this without opening up a security hole in my forms?
Thanks!
Upvotes: 13
Views: 8229
Answers (6)
Reputation: 2920
As mpen said in the comment on the answer I see this all the time when users leave the page sitting there for more than 20 minutes (the default session time) and the token expires.
You can trigger or force this error (if you're trying to test catching it) by opening your browser's developer tools and deleting the __RequestVerificationToken hidden field:
<input name="__RequestVerificationToken" type="hidden" value="AqJL/+e9tGCSCXdurrXDRefVL/TAdOAG9Hjrx0oMPg6sVZY3xv099OSYlH1qI8uZyu4x2xFj9eiNVSH2BGsSfJCQAqzxfQtIKoHXNkkW2FJTkxzsNRkwZo1SJUzYGvcEJ/OJ0AouiUWh98qyIzgN2ZkKP7k=">
Upvotes: 0
Reputation: 15810
Here's a portion of my answer to a similar question:
Machine Key and Cookies: this issue is ugly, easy to spot (causes exceptions), but not very intuitive. The validation cookies and tokens are encoded and decoded using a unique "machine key". This means that if you have a server farm, or change your server, your cookie will no longer be valid. Closing your browser fixes the issue (because the cookie is a session cookie). However, some people leave their browser windows open in the background for a long time!
The solution is to set a "machine key" in your config file. This will tell MVC to use the same key on all servers, ensuring that the cookie will be decryptable everywhere.
Please note: if a user keeps any browser window open, even AFTER you change your machine key, they will continue to get these error messages! They MUST close the window (to clear the session-cookie) in order to access your website again.
Upvotes: 8
Reputation: 9095
One thing to make sure is to have the same machine key token for all requests. If you don't have this and your application pool recycles, subsequent POSTs with old cookies cause this error.
Another cause is when somebody has the privacy settings way high and thus blocking cookies. For example, in Internet Explorer from the Privacy tab if the settings are set to High or Block All Cookies you would get this error.
Upvotes: 4
Reputation: 43873
Not sure if this will help but I found that when using Internet Explorer I would get this error whenever there was an underscore '_' inside the subdomain... however not on Firefox.
Still looking for a solution or reasoning.
Upvotes: 1
Reputation: 3860
Read the section here on limitations
prevent cross site request forgery
Upvotes: 1
Reputation: 32828
Make sure that your ~/Web.config has a <machineKey> section and that you're setting the key from within that section. The anti-XSRF system requires this to be present.
Upvotes: 0
Related Questions
- Troubleshooting anti-forgery token problems
- The anti-forgery token Error
- The provided anti-forgery token was meant for a different claims-based user than the current user
- Intermittent issue of HttpAntiForgeryException on Production only
- anti-forgery token error
- A required anti-forgery token was not supplied or was invalid
- MVC3 :a required anti-forgery token was not supplied or was invalid
- Problem with Validate Anti Forgery
- AntiForgery Exception: A required anti-forgery token was not supplied or was invalid
- ASP.MVC antiforgery token and cryptographic errors