Anti-Fogery not working correctly in asp.net Razor

Question

I have an ASP.NET Webpages Razor syntax page which all of a sudden has stopped authenticating users!

If a user tries to login to the site now the server responds with the message:

The required anti-forgery form field "__RequestVerificationToken" is not present.

Well.... It is!

Looking at the source of my login page it does add the hidden field as seen below..

<section id="loginForm">
    <form method="post">
        <fieldset>
        <input name="__RequestVerificationToken" type="hidden" value="WgwaKIsXipJ4C8IRsaz__C_tW02ejupv8af-w3czwefo2AEacVlGs_k-lFNRfLqWr0inzHxtkEnXgPKZMvacv5u1LVfLphIP8R1JGukMZcA1" />
        <legend>Sign in to Your Account</legend>
        <ol>
            <li class="email">
                <label for="email" >Username</label>
                <input type="text" id="email" name="username"   />
                <span class="field-validation-valid" data-valmsg-for="username" data-valmsg-replace="true"></span>
            </li>
            <li class="password">
                <label for="password" >Password</label>
                <input type="password" id="password" name="password"  />
                <span class="field-validation-valid" data-valmsg-for="password" data-valmsg-replace="true"></span>
            </li>
            <li class="remember-me">
                <input type="checkbox" id="rememberMe" name="rememberMe" />
                <label class="checkbox" for="rememberMe">Remember me?</label>
            </li>
        </ol>
        <input type="submit" value="Sign in" />
    </fieldset>
    </form>
</section>

To create this field I use @AntiFogery.GetHTML() and in the post method which authenticates users I have @AntiForgery.Validate() <---- This is where the website crashes and shows me the aforementioned error.

I don't know if this helps. but if i remove the validation all together (Server and client) I get a 403 error when attempting to login to the website.

Oddly enough this has happened all of a sudden without any intervention?

Finally, On my local machine this does not happen. Only when hosted on IIS 8

Check this: http://www.codeproject.com/Questions/776742/The-required-anti-forgery-form-field-RequestVerifi. — Lesmian, Mar 22 '16 at 12:17
Is your web site hosted in a web farm? Is it served by multiple servers? the anti forgery token will be unique per server so if one server issues it it won't be valid on a different server — Liam, Mar 22 '16 at 13:17
Ah I see. No it isn't. I have actually just tried to set the Decryption Key in the webconfig but there is still no luck on this issue — Harvey, Mar 22 '16 at 13:18
[Have you tried this](http://stackoverflow.com/a/2207535/542251) Or [this](http://stackoverflow.com/a/17232467/542251)? — Liam, Mar 22 '16 at 13:20
I have, Now, its complaining that my username and password is null! ONLY on the server, my dev manchine has no issues! — Harvey, Mar 22 '16 at 13:23

score 1 · Accepted Answer · answered Mar 23 '16 at 09:56

1

I have finally discovered the issue with the IIS Server!

On my webserver I have a tool called ModSecurity Installed that was obviously interfering with my POST requests.

By adding the line, <ModSecurity enabled="false" />, into the web.config of the site everything was returned to its original state.

I hope this helps anyone else in the future with this issue

answered Mar 23 '16 at 09:56

Harvey

1,320
3
13
33

Wouldn't you be better off manipulating the rule that is causing the issue, rather than disabling ModSecurity completely? – Timothy Lee Russell Feb 27 '17 at 23:49
ModSecurity was not a requirement and more of a test. so in this application this solution suited. – Harvey Feb 28 '17 at 11:38
1

If you don't need ModSecurity, turning it off is _definitely_ easier than trying to correctly configure it. :-) – Timothy Lee Russell Feb 28 '17 at 17:22

Anti-Fogery not working correctly in asp.net Razor

1 Answers1