My ASP.NET MVC application prevents CSRF attacks by using the ValidateAntiForgeryToken attribute and calling Html.AntiForgeryToken to write a hidden input element with the token value, and also place the token in the cookie.
My exception log is reporting occurences of HttpAntiForgeryException that look like they were triggered from valid Requests (the Referrer looks correct). The Response causing the exception also contains __RequestValidationToken in the Form field, with the token value. However, the necessary cookie is missing from the Request, causing the Validation to fail and exception to be thrown.
I'm trying to think of why this cookie is missing and have come up with the following possible reasons:
- Cookies collection is full for the domain. - If this were the case here I'd expect to see 20/50 cookies in each request (BTW all the User-Agents are IE7 and IE8) and somehow the cookie is being dropped. I'm seeing between 3 and 23 cookies in various occurences of the exception
- Data limit of cookies has been reached. - This isn't happening. By looking at the logs I can see the cookie collection is small.
- The response is being sent back before the cookie can be added. - Not sure about this one. Manually calling Reponse.Flush in the head results in an Exception stating the cookies collection can't be modified after the repsonse has been sent.
- ?
In desparation I turn to the people at SO and ask for any other possible causes of this missing cookie that I can investigate.