12

The required anti-forgery cookie "__RequestVerificationToken" is not present.

I have added in cshtml and in Controller also

 using (Html.BeginForm())
 {
   @Html.AntiForgeryToken()

  //some code

  }

     [HttpGet]
    [ValidateAntiForgeryToken]
    public ActionResult Index()
    {
        using (var db = new SampleEntities())
        {
            return View(db.Rfps.ToList());
        }



    }
user3233312
  • 166
  • 1
  • 1
  • 6
  • 2
    You don't need ValidateAntiForgeryToken for GET requests. Stripe. – Vladimirs Nov 05 '14 at 14:10
  • indeed. the cookie should be set on the GET request and checked on the POST request. checking the token on the GET will only result in an error, since it is the first request and the token wasn't set yet. – MovGP0 Apr 22 '16 at 17:07

3 Answers3

39

In my case, I had this in my web.config:

<httpCookies requireSSL="true" />

But my project was set to not use SSL. Commenting out that line or setting up the project to always use SSL solved it.

Justin Skiles
  • 9,373
  • 6
  • 50
  • 61
  • 4
    This answer is what helped me. It is common during development to not use SSL, so setting **httpCookies** to require SSL causes cookies to not be sent when accessing the website on **localhost**. Just make sure to set it back to true, when deploying - I usually do that in my Web.Release.config file. – Vladimir Petrov May 08 '15 at 14:18
  • Took me a whole day to figure it out. Without your answer it'd have taken so much more! Thanks. – E-A May 11 '15 at 06:36
  • 2
    I ran into this when the app moved behind a device that terminates SSL rather than the web server doing it. – Eric J. Jun 10 '16 at 00:35
  • my project didnt have SSL. so I used like this and solved :) – Sajjad.HS Aug 27 '18 at 06:01
8

The issue is because you are using a ValidateAntiForgeryToken attribute on a GET request. You don't need to use this attribute for GET actions. Look here for more information:

MikeDub
  • 5,143
  • 3
  • 27
  • 44
Pavel
  • 526
  • 2
  • 5
  • is this because ValidatAntiForgeryToken for Posting? – user3233312 Nov 05 '14 at 14:24
  • Yes, it helps you to ensure that POST request was from page which was generated by your application. This attack called cross site request forgeries. – Pavel Nov 05 '14 at 14:32
2

In my case, it was because I ran another Asp.Net website before. So the cookies could not match for localhost. I cleared my cookies (just for localhost) and everything is fine now.

Daniel
  • 9,312
  • 3
  • 48
  • 48