3

In a MVC4 app running on Mono I get the error:

The anti-forgery cookie token and form field token do not match

on the "Login and Register" page. This page has a LoginOrRegisterViewModel which looks as follows:

public class LoginOrRegisterViewModel
{
    public LoginModel Login { get; set; }
    public RegisterModel Register { get; set; }
}

Which gets passed to the page on the GET request.

There are two Html.BeginForms() on the page, a Login-form and a Register-form. The first calls the Login action on the controller, the second the Register action. Both actions have a ValidateAntiForgeryToken attribute. When a form is submitted the respectively Login or Register is obtained from the LoginOrRegisterViewModel.

When the page is loaded and a registered user tries to login after some tim (few hours?) the "Login and Register" page initially shows, but when the Login form is submitted the error above shows until the root page is refreshed.

I have included a Machine Key to the Web.config and have added Html.AntiForgeryToken() to both forms. I have a suspicion this error might have to do with the two forms and the view model.

Does anyone know how the error can be fixed? Thanks.

user2609980
  • 10,264
  • 15
  • 74
  • 143
  • Are you reseeding the db using Code First in the meantime and forgot to turn it off or something? That's a typical situation where the user is recreated in the database, making for a difference in anti-forgery token. – Wim Ombelets Apr 12 '15 at 18:07
  • @WimOmbelets No the database is not reseeded. Only on registering the user is *created* (obviously). – user2609980 Apr 12 '15 at 18:39
  • Has the caller session expired during these few hours? AFAIK these tokens are stored in the session ... :) – dna Apr 15 '15 at 06:28
  • @dna Should that matter? These types of application errors are not good for the user experience. For now I just removed the anti-forgery tokens. – user2609980 Apr 15 '15 at 16:42
  • Well if the session expires (with the anti forgery token in it) the verification of the token will obviously fails when the user post the form after that. I am not saying it's the cause of your error but it might be something worth looking into. – dna Apr 15 '15 at 16:59
  • But @dna this happens on a new request of a previously logged who was logged out for a while. So when a user logs in after one day this exception is thrown. Is there a way to handle it properly? – user2609980 May 01 '15 at 11:20
  • Take a look at this: http://stackoverflow.com/questions/18097401/the-anti-forgery-cookie-token-and-form-field-token-do-not-match-in-mvc-4/30972311#30972311 – Yovav Jun 22 '15 at 05:01

1 Answers1

0

MVC best coding standard, always practice with separation of code concern.

  • Create two diffrent model 1 for LoginViewModel and 2 for Register View model.
  • Create seperate partial view for both login and Register and Access via Partial Or RenderAction keyword.

If you are putting @Html.AntiForgeryToken() on your html form then, same way you need to validate anti-Forgery on Controller side method by writing attribute [ValidateAntiForgeryToken()] .

Html helper will generate unique token inside your form like,

<input name="__RequestVerificationToken" type="hidden" value="4dvPVQIvpXNEKZyV1DCjeN1rmtMDJ9fQ2">

For each of the form unique Anti-forgery token will be generate and, it will resolve your confliction.

Let me know in case is you still facing difficulty.

Gauttam Jada
  • 588
  • 4
  • 7