The required anti-forgery cookie "__RequestVerificationToken" is not present only in Google Chrome

Question

I have an existing website and suddenly some days ago I can't use Google Chrome anymore for developing. When I use a standard edit and create page, I get the above error. But i'm not getting it in Internet Explorer. I use Windows 10 (all updates installed) and VS2013 with Update 4. The project is the latest MVC version. I even checked the web.config but nothing is changed. I deleted all history, cookies, passwords etc. Anyone any idea?

Answer 1

Are you on cloud platform ? chrome emits cookies from cloud domains hence the only way to do it is to map another named domain to your cloud web site

This is probably because browsers like Chrome use the Public Suffix List(https://publicsuffix.org/list/effective_tld_names.dat) to restrict certain cookies. If the domain suffix set on the cookie is shared publicly then the browser may block such a cookie in order to prevent itself from sending "unauthorized" data to other servers running on the same domain.

Answer 2

This was happening to me in Chrome, and seemed related to using the 'remember me' checkbox on login forms, and closing then re-opening the browser. The token was present on inspecting page source, but was reported as being not present during debugging sessions in visual studio. By clearing the browser cache and not checking the 'remember me' box I did not get the problem - but I don't fully understand why!!

My steps to reproduce the bug in Chrome:

1. Sign in to your MVC web application, clicking on 'remember me' to make it checked
2. Close browser
3. Open browser to your current retained session
4. Try to sign out - error happens here.

Anyway, the following solution worked for me. Inside your MVC view form, try replacing this:

@Html.AntiForgeryToken()

with:

ViewContext.Writer.Write(Html.AntiForgeryToken().ToHtmlString());

Answer 3

Do you have a

<httpCookies requireSSL="true" />

in your Web.config? Change that to false. Then in your transforms files (Web.Prod.config, and other environments that have SSL):

<httpCookies requireSSL="true" xdt:Transform="SetAttributes" />

Answer 4

I'm also having the same issue in recent weeks, but it's also extending cross-browser after originating from Chrome. What's even stranger is that it still works flawlessly with the identical project on a different machine using all browsers. I have gone so far as to uninstall all extensions, delete all cookies / data, sign out of Chrome completely and re-install it. Problem still persists.

On deployment to Azure websites the problem isn't present on any platform. My current work-around is to Ctrl-F [ValidateAntiForgeryToken] and comment out every occurrence, and re-enable it upon deployment. Annoying, but it works.

Answer 5

I had the same problem. For me the solution was to both clear my browser cookies and to disable Adblock. Other addons may have the same effect. I believe the problem is limited to the Visual Studio / Chrome development environment and will not occur in production regardless of whether the end user has Adblock enabled or not.