System.Web.Mvc.HttpAntiForgeryException: MVC 5

Question

Using MVC 5.1.1/VS 2013 Professional/.Net 4.5

I keep getting error once in a while (from localhost and from production IIS 7):

System.Web.Mvc.HttpAntiForgeryException: The anti-forgery cookie token and form field token do not match.

The issue seems to be when i logout a user, sometimes when i go to authenticate again thats when i get the error.

My authentication code looks like something like this:

    [HttpPost]
    [AllowAnonymous]
    [ValidateAntiForgeryToken]
    public ActionResult Login(LoginViewModel model)
    {
        if (ModelState.IsValid)
        {

            var user = _uow.UserRepository.FindLogin(model.Email, model.Password);
            if (user != null)
            {
                var claims = new List<Claim>();
                claims.Add(new Claim(ClaimTypes.Email, user.Email));
                claims.Add(new Claim(ClaimTypes.NameIdentifier, user.UserID.ToString()));
                claims.Add(new Claim(ClaimTypes.Role, user.UserLevel.ToString()));

                var id = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);

                var ctx = Request.GetOwinContext();
                var authenticationManager = ctx.Authentication;

                authenticationManager.SignIn(new AuthenticationProperties { IsPersistent = true }, id);

            }
            else
            {
                ModelState.AddModelError("", "Invalid Email Address or Password.");
            }
        }


        return View(model);
    }

Update with LogOut Method:

    [HttpGet]
    [AllowAnonymous]
    public ActionResult LogOut(LoginViewModel model)
    {
        Session.Abandon();
        return SignOffUser();
    }

    private ActionResult SignOffUser()
    {
        AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);
        return RedirectToAction("Index", "Home");
    }

LogOut Form View

@if (Request.IsAuthenticated)
{
    using (Html.BeginForm(null, null, FormMethod.Post, new {id = "logoutForm", @class  = "navbar-right"}))
    {
        @Html.AntiForgeryToken()
        ....

    }
}

does that antiforgery error occur on logout only? login only? or both? — Dylan Corriveau, Apr 29 '14 at 14:50
only login? ok. Do you have @Html.AntiForgeryToken() inside of your login page? — Dylan Corriveau, Apr 29 '14 at 15:08
if it appears only in login, are you sure your login form has the `antiforgerytoken` generated inside the form in view? — Cybercop, Apr 29 '14 at 15:08
Yes, My login view has '@using (Html.BeginForm("Login","Login"))' and '@Html.AntiForgeryToken()' — DavidJS, Apr 29 '14 at 15:13
In doing more testing, i only seem to have problem in IE. I am using IE 11 on Windows 7/8 64 bit. — DavidJS, Apr 29 '14 at 19:47
This is happening to me in the exact same environment. I'm submitting the form using `$.ajax({type:"POST"...`. It appears that I was submitting two forms-worth of data by accident. — Albert Bori, Oct 28 '15 at 03:48

Cybercop · Answer 1 · 2014-04-29T15:11:38.283

0

Show your logout form(view).

This happens if you are calling the logout method in your controller from your view but don't have antiforgerytoken generated inside the form.

Your form should look like

@using(Html.BeginForm("Action","Controller"))
{
   @Html.antiforgerytoken()
   ....
}

Then the action you call via your view should look like

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult MyAction()
{
   return content("hello user! Antiforgerytoken has been validated1");
}

PS: No matter what action method your form calls, if you want to have antiforgery token that needs to be validated, then the form and action method should look like what I've mentioned above.

edited Apr 29 '14 at 15:11

answered Apr 29 '14 at 14:40

Cybercop

8,475
21
75
135

Im not calling the logout on my Login View but my views code looks like this: – DavidJS Apr 29 '14 at 14:47
@using (Html.BeginForm()) { @Html.AntiForgeryToken() ...} . So do i need the "Action","Controller"? – DavidJS Apr 29 '14 at 14:47
try mentioning the action and controller you are calling to, and see if it works – Cybercop Apr 29 '14 at 14:50
Ok, i also added the View for the Logout. – DavidJS Apr 29 '14 at 14:53
1

then call the logout method which is of type HTTPPOST and validate antiforgery token for that method – Cybercop Apr 29 '14 at 14:55
I get a run time error for: [HttpPost] [ValidateAntiForgeryToken] public ActionResult LogOut(LoginViewModel model) – DavidJS Apr 29 '14 at 15:03
change null null in your form(view) to actual Action and controller name – Cybercop Apr 29 '14 at 15:05
@@Biplov13 Is the View ok for the logOut ? 'using (Html.BeginForm(null, null, FormMethod.Post, new {id = "logoutForm", @class = "navbar-right"}))' – DavidJS Apr 29 '14 at 15:05
also make sure your view is based upon your model `LoginViewModel` – Cybercop Apr 29 '14 at 15:07

score 0 · Answer 2 · answered Apr 29 '14 at 14:54

Another thing you may want to look at is that on your logout page, you don't necessary validate the forgery token.

Try changing this:

[HttpGet]
[AllowAnonymous]
public ActionResult LogOut(LoginViewModel model)
{

To this

[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult LogOut(LoginViewModel model)
{

My bet is that the token is changing on the page, and since it's not validated, ASP.NET doesn't know if it is truly correct or not.

E: just noticed, it should actually be an httppost on logout

score 0 · Answer 3 · edited May 23 '17 at 10:27

Try setting explicitly machine key in web.config (under system.web):

 <machineKey validationKey="971E32D270A381E2B5954ECB4762CE401D0DF1608CAC303D527FA3DB5D70FA77667B8CF3153CE1F17C3FAF7839733A77E44000B3D8229E6E58D0C954AC2E796B" decryptionKey="1D5375942DA2B2C949798F272D3026421DDBD231757CA12C794E68E9F8CECA71" validation="SHA1" decryption="AES" />

Here's a site that generate unique Machnie Keys http://www.developerfusion.com/tools/generatemachinekey/

link: The anti-forgery cookie token and form field token do not match in MVC 4

System.Web.Mvc.HttpAntiForgeryException: MVC 5

3 Answers3