Form doesn't have duplicate key still getting "The anti-forgery token could not be decrypted" error

Question

I have used @Html.AntiForgeryToken() in my main .cshtml page <div ng-controller="MainController as vm"> I have followed this to implement.

var headers = actionContext.Request.Headers;
                var tokenCookie = headers
                    .GetCookies()
                    .Select(c => c["__RequestVerificationToken_L21vYmlsZQ2"]) //AntiForgeryConfig.CookieName
                    .FirstOrDefault();

                var tokenHeader = string.Empty;
                if (headers.Contains("X-XSRF-Token"))
                {
                    tokenHeader = headers.GetValues("X-XSRF-Token").FirstOrDefault();
                    AntiForgery.Validate(tokenCookie != null ? tokenCookie.Value : null, tokenHeader);
                }   

@Html.AntiForgeryToken() is generating key (eg: "xyz123") while validating in OnActionExecuting() I'm getting different key (eg: "pqr678") and in AntiForgery.Validate(tokenCookie != null ? tokenCookie.Value : null, tokenHeader); getting following error

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys.

Note: I do not have a duplicate token and I also tried to add a machine key in web.config ref

Answer 1

You should use the ValidateAntiForgeryKey attribute on your action.

[HttpPost]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Manage(ManageUserViewModel model)
{

}

Also, you can try to add the validationKey="AutoGenerate" on the machine config. like below:

<machineKey validationKey="AutoGenerate">