1

Our site is encountering HttpAntiForgeryExceptions, "A required anti-forgery token was not supplied or was invalid. Unfortunately it is very difficult for us to replicate this error because of the infrequency with which it occurs, but because of the level of traffic our site receives, this exception does occur several hundred times per hour.

We are using a load-balanced web farm, but I have ensured that all servers are configured to use the same machinekey.

Every ActionMethod which we have added the [ValidateAntiForgeryToken] attribute to receives this error, but only sporadically. The majority of this code has not changed in over a year, but the error no action method with [ValidateAntiForgeryToken] seems immune.

We are not using any salting. Only @Html.AntiForgeryToken() in the views with [ValidateAntiForgeryToken] on our HttpPost action methods.

I can see in Fiddler the antiforgery cookies and form post values, but of course it all looks like gibberish.

After staring at this problem for quite some while, a whole group of us really don't have any clue where to start. Thank you for any help you might be able to provide.

  • Are you using authentication on your site? – Darin Dimitrov Mar 13 '12 at 15:28
  • Yes. We are using FormsAuthentication. How is this relevant? I've seen a reference or two that it might be relevant, but can't figure out how so. –  Mar 13 '12 at 15:34
  • The `ValidateAntiForgeryToken` attribute verifies that the current user is the same as the one that was connected (or not connected) at the moment this token was emitted. The username is actually part of the encrypted token. And if the user somehow changes in between, you will get an exception. What kind of controller actions have yuo decorated with this attribute? What are those actions doing? How are they invoked? Do they all require that a user is authenticated in order to invoke them? – Darin Dimitrov Mar 13 '12 at 15:39
  • Thanks, Darin. I'm perusing the System.Web.Mvc source right now. Regarding the section detailed in the accepted answer here http://stackoverflow.com/questions/5767768/troubleshooting-anti-forgery-token-problems I'm probably going to modify each of the calls to CreateValidationException() to throw unique exception messages to help us troubleshoot. –  Mar 13 '12 at 16:17

0 Answers0