5

We have a website that uses MVC3 and a custom authentication method that does not rely on forms authentication at all -- at least from what I can tell. In web.config we set

<authentication mode="None"></authentication>

and we never use/set HttpContext.User anywhere in code. The problem is when using @Html.AntiForgeryToken() in some cases the user gets this error message:

A required anti-forgery token was not supplied or was invalid

We centralize all anti-forgery checks in OnAuthorization with this code:

if (String.Compare(filterContext.HttpContext.Request.HttpMethod, "post", true) == 0)
{
  var forgery = new ValidateAntiForgeryTokenAttribute();
  forgery.OnAuthorization(filterContext);
}

That is where the exception occurs. We have defined a machineKey in web.config to prevent new keys being generated when the application pool recycles. This did not fix the problem.

Next we thought that maybe the client's browser is not sending cookies. We started logging cookies and noticed that in some cases the RequestVerificationToken_Lw cookie is sent, but in others is not -- even though other cookies, like the ones made by Google Analytics, are sent along just fine. Could it be something in the browser is stripping out some cookies and leaving others in?

It seems like the anti-forgery token depends on forms authentication. Is this the case? Any way to keep using the AntiForgeryToken when not using forms authentication in a reliable way. Keep in mind that the method I described above works for more than 90% of cases, but we can't pinpoint why it doesn't work for some people.

Thoughts?
Thanks!

Community
  • 1
  • 1
pbz
  • 8,865
  • 14
  • 56
  • 70

2 Answers2

0

Do some users have this issue all the time? Or just some of the time? Also, does it work for some of the methods ALL the time or is it inconsistent for the same action method? Do you have any ajax calls? The default anti-forgery token implementation does not handle AJAX calls. But you can write some custom code to get it to work

Ryand.Johnson
  • 1,906
  • 2
  • 16
  • 22
  • i don't know why that showed up as an answer and not a comment – Ryand.Johnson Nov 17 '11 at 20:39
  • Thanks for you reply! 1) Some users seem to have it all the time, but the one user I was able to get in contact with is somewhat non-technical, so I couldn't investigate too much. I do see their IP and error in the log, so I know it's legit. 2) No AJAX calls on those pages. I'm aware aware of those limitations and I have worked around where needed. – pbz Nov 18 '11 at 04:03
0

Are you adding the antiforgery token inside of the form? The antiforgery token is stored on the client via a hidden HTML element so and not as a cookie. The other question would be what browser version are they using? Are can the upgrade to the latest?

   @using (Html.BeginForm())
   {
      @Html.AntiForgeryToken()...
Ryand.Johnson
  • 1,906
  • 2
  • 16
  • 22
  • Yes, I'm including the token inside the form. I do not know what version they are using, but they are using Internet Explorer (according to the one person I was able to get in touch). This has happened to other people, but unfortunately I didn't log the browser version. I may have to go back and log as much as I can to get more data. I was hoping others came across this problem before. – pbz Nov 18 '11 at 17:49