ASP.NET MVC Anti-Forgery Token Issues

Question

We're using Amazon EC2 Elastic Beanstalk on an ASP.NET MVC 4 site and are getting an error after the user tries to login:

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

We thought the issue might be due to the session state being in proc and having dynamic instances so we moved that to SQL Server but are still getting the error. What's weird is that sometimes the login is fine and sometimes you get the error.

Is there something special that needs to be done to handle this issue for ASP.NET MVC in a dynamic web server environment like EC2?

http://iamdotnetcrazy.blogspot.co.uk/2013/08/how-to-solve-anti-forgery-token-could.html — Zaki, Jan 29 '15 at 09:08

score 3 · Accepted Answer · answered Jan 29 '15 at 09:18

3

you need to include the decryption key and validation key explicitly set inside the webconfig

<configuration>
  <system.web>
    <machineKey decryptionKey="Decryption key goes here, IsolateApps" 
                validationKey="Validation key goes here, IsolateApps" />
  </system.web>
</configuration>

you can check the following article for details http://iamdotnetcrazy.blogspot.com/2013/08/how-to-solve-anti-forgery-token-could.html

answered Jan 29 '15 at 09:18

Hossam Barakat

1,399
9
19

Thanks, this worked perfectly. I didn't use the IsolateApps part. Is that needed? – Austin Jan 30 '15 at 15:25
Good to know that it worked, no not needed and here is why http://stackoverflow.com/a/15400821/499930 – Hossam Barakat Jan 30 '15 at 19:46
just checking if there is any other option than adding machine key. if I change server, I will have to keep updating the machine key on my configs – user2081126 May 19 '20 at 19:32

score 1 · Answer 2 · answered Feb 17 '16 at 14:06

1

I removed 'IsolatedApps', that seemed to work for me.

answered Feb 17 '16 at 14:06

Terry Mosoma

87
7

score 0 · Answer 3 · answered Jun 04 '20 at 10:34

0

My fix was to get the cookie and form token value like this:

AntiForgery.GetTokens(null, out var cookieToken, out var formToken);

answered Jun 04 '20 at 10:34

Alexander

405
7
17

ASP.NET MVC Anti-Forgery Token Issues

3 Answers3

Linked