Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Troubleshooting anti-forgery token problems

I have a form post that consistently gives me an anti-forgery token error.

Here is my form:

@using (Html.BeginForm()) {     @Html.AntiForgeryToken()     @Html.EditorFor(m => m.Email)     @Html.EditorFor(m => m.Birthday)     <p>         <input type="submit" id="Go" value="Go" />     </p> } 

Here is my action method:

[HttpPost] [ValidateAntiForgeryToken] public ActionResult Join(JoinViewModel model) {     //a bunch of stuff here but it doesn't matter because it's not making it here } 

Here is the machineKey in web.config:

<system.web>   <machineKey validationKey="mykey" decryptionKey="myotherkey" validation="SHA1" decryption="AES" /> </system.web> 

And here is the error I get:

A required anti-forgery token was not supplied or was invalid. 

I've read that changing users on the HttpContext will invalidate the token, but this isn't happening here. The HttpGet on my Join action just returns the view:

[HttpGet] public ActionResult Join() {     return this.View(); } 

So I'm not sure what's going on. I've searched around, and everything seems to suggest that it's either the machineKey changing (app cycles) or the user/session changing.

What else could be going on? How can I troubleshoot this?

like image 563
Jerad Rose Avatar asked Apr 24 '11 00:04

Jerad Rose


People also ask

How do anti-forgery tokens work?

Anti-Forgery TokensOne token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values. When the client submits the form, it must send both tokens back to the server.

What is http anti-forgery exception?

Anti-forgery token is used to prevent CSRF (Cross-Site Request Forgery) attacks. Here is how it works in high-level: IIS server associates this token with current user's identity before sending it to the client. In the next client request, the server expects to see this token.

Where are anti-forgery tokens stored?

The token is stored as a cookie that's sent with every request the client makes. Generating and validating this cookie is performed by the Cookie Authentication Middleware.


2 Answers

I don't know if you mean you are able to get the error on demand - or you're seeing it in your logs but in any case here's a way to guarantee an antiforgery token error.

Wait for it...

  • Make sure you're logged out, then enter your login
  • Double click on the login button
  • You'll get :

The provided anti-forgery token was meant for user "", but the current user is "[email protected]".

(For now I'm going to assume that this exact error message changed in MVC4 and that this is essentially the same message you're getting).

There's a lot of people out there that still double click on everything - this is bad! I just figured this out after just waking up so how this got through testing I really don't know. You don't even have to double click - I've got this error myself when I click a second time if the button is unresponsive.

I just removed the validation attribute. My site is always SSL and I'm not overly concerned about the risk. I just need it to work right now. Another solution would be disabling the button with javascript.

This can be duplicated on the MVC4 initial install template.

like image 166
Simon_Weaver Avatar answered Sep 17 '22 12:09

Simon_Weaver


After help from Adam, I get the MVC source added to my project, and was able to see there are many cases that result in the same error.

Here is the method used to validate the anti forgery token:

    public void Validate(HttpContextBase context, string salt) {         Debug.Assert(context != null);          string fieldName = AntiForgeryData.GetAntiForgeryTokenName(null);         string cookieName = AntiForgeryData.GetAntiForgeryTokenName(context.Request.ApplicationPath);          HttpCookie cookie = context.Request.Cookies[cookieName];         if (cookie == null || String.IsNullOrEmpty(cookie.Value)) {             // error: cookie token is missing             throw CreateValidationException();         }         AntiForgeryData cookieToken = Serializer.Deserialize(cookie.Value);          string formValue = context.Request.Form[fieldName];         if (String.IsNullOrEmpty(formValue)) {             // error: form token is missing             throw CreateValidationException();         }         AntiForgeryData formToken = Serializer.Deserialize(formValue);          if (!String.Equals(cookieToken.Value, formToken.Value, StringComparison.Ordinal)) {             // error: form token does not match cookie token             throw CreateValidationException();         }          string currentUsername = AntiForgeryData.GetUsername(context.User);         if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase)) {             // error: form token is not valid for this user             // (don't care about cookie token)             throw CreateValidationException();         }          if (!String.Equals(salt ?? String.Empty, formToken.Salt, StringComparison.Ordinal)) {             // error: custom validation failed             throw CreateValidationException();         }     } 

My problem was that condition where it compares the Identity user name with the form token's user name. In my case, I didn't have the user name set (one was null, the other was an empty string).

While I doubt many will run into this same scenario, hopefully others will find it useful seeing the underlying conditions that are being checked.

like image 30
Jerad Rose Avatar answered Sep 16 '22 12:09

Jerad Rose