Menu
I'm occasionally getting this error during normal use, and I've not found a way to stop it without removing the attribute that requires the token, which I'd rather not do.
I've gotten this bug during my own testing (but seemingly randomly) and I know from my logging that actual logged-in users are getting it as well.
Does anyone know what would cause the antiforgerytoken system to break (other than a real attack), and how I could fix this without opening up a security hole in my forms?
Thanks!
202
Here's a portion of my answer to a similar question:
Machine Key and Cookies: this issue is ugly, easy to spot (causes exceptions), but not very intuitive. The validation cookies and tokens are encoded and decoded using a unique "machine key". This means that if you have a server farm, or change your server, your cookie will no longer be valid. Closing your browser fixes the issue (because the cookie is a session cookie). However, some people leave their browser windows open in the background for a long time!
The solution is to set a "machine key" in your config file. This will tell MVC to use the same key on all servers, ensuring that the cookie will be decryptable everywhere.
Please note: if a user keeps any browser window open, even AFTER you change your machine key, they will continue to get these error messages! They MUST close the window (to clear the session-cookie) in order to access your website again.
95
One thing to make sure is to have the same machine key token for all requests. If you don't have this and your application pool recycles, subsequent POSTs with old cookies cause this error.
Another cause is when somebody has the privacy settings way high and thus blocking cookies. For example, in Internet Explorer from the Privacy tab if the settings are set to High or Block All Cookies you would get this error.
39
Read the section here on limitations
prevent cross site request forgery
28
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
