tags:

views:

326

answers:

2
+1  Q: 

Intermittent error thrown, "A required anti-forgery token was not supplied or was invalid."

I'm occasionally getting this error during normal use, and I've not found a way to stop it without removing the attribute that requires the token, which I'd rather not do.

I've gotten this bug during my own testing (but seemingly randomly) and I know from my logging that actual logged-in users are getting it as well.

Does anyone know what would cause the antiforgerytoken system to break (other than a real attack), and how I could fix this without opening up a security hole in my forms?

Thanks!

A: 

Read the section here on limitations

prevent cross site request forgery

Jason Watts  2010-05-06 23:15:12
No it's all set up correctly. The error happens rarely, once a week or so and occasionally during heavy testing.
Dave K  2010-05-06 23:18:20
Thanks Jason, I'll give it a read.
Dave K  2010-05-07 02:01:40
the only think i saw in there that's any different from what i've implemented is, they show this:<% using(Html.Form("UserProfile", "SubmitUpdate")) { %> <%= Html.AntiForgeryToken() %> <!-- rest of form goes here --><% } %>while i commonly implemented this:<% using(Html.Form("UserProfile", "SubmitUpdate")) { %> <!-- rest of form goes here --><%= Html.AntiForgeryToken() %><% } %>since this is a form post, i didn't think it would matter, and i still don't. but at this point i'll change anything to make it work.
Dave K  2010-05-07 03:18:54
stackoverflow should allow code blocks in comments - anyway the point is that i had the token field at the end instead of at the beginning of the form. now it's at the beginning.
Dave K  2010-05-07 03:20:03
A: 

Make sure that your ~/Web.config has a <machineKey> section and that you're setting the key from within that section. The anti-XSRF system requires this to be present.

Levi  2010-05-07 00:15:26
I've already done this during my last attempt to fix this problem. It didn't help, but theoretically this was a necessary step. Thanks
Dave K  2010-05-07 02:01:23
If you have access to your machine's event log, can you check it for any entries that are occurring at around the same time as the anti-XSRF invalid exception? For example, do these happen immediately after an AppDomain restart, etc.?
Levi  2010-05-07 03:02:37
I'll look into this Levi, another interesting thought. Not sure if it's session expiration or appdomain restart at this point - both suggestions seem plausible. thanks again!
Dave K  2010-05-07 04:06:40

related questions

Redirecting to specified controller and action in asp.net mvc 2 action filter
Rendering the field name in an EditorTemplate (rendered through EditorFor())
Missing Classes and Methods in ASP.net MVC 2
using Html.EditorFor with an IEnumerable<T>
ASP.NET MVC and ViewState
ASP.NET MVC 2 DisplayFor()
Maintaining ViewData between RenderAction calls
ASP.NET MVC - Current Action from controller code?
Is it a good idea to put content access logic in a BaseController?
HttpModule with ASP.NET MVC not being called
Ways to define an ASP.NET MVC Route
ASP.NET MVC 2 Preview 1 - DataAnnotation Validation with complex model object
ASP.NET MVC 2 Preview 1 - Problem compiling StructureMap Controller Factory
ASP.NET-MVC2 Preview 1: Are There Any Breaking Changes?
Site navigation for an 'Admin' application in ASP.NET MVC
Html.LabelFor Specified Text [ASP.NET MVC 2]
Is it viable to use ASP.NET MVC 2 Preview 1 in a production application?
Unit tests on MVC validation
Form input validation options in ASP.NET MVC 1.0+
Validation: Model or ViewModel
ASP.NET MVC 2 editor template for value types, int
ASP.NET MVC 2 Preview 1 - what is the best way to implement areas?
ASP.NET MVC 2.0 overview information?
Passing Controller a FormCollection and an IList<T>
Best ASP.NET MVC book?