tags:

views:

94

answers:

2
+1  Q: 

ASP.NET MVC AntiForgeryToken throwing its exception on GET?

I've got a weird error in a couple MVC apps that I've not noticed before; it's happening in my app (across the board) and also it happened when I tried running the latest Orchard drop (so I know it's not just my code).

Basically, the issue is that I get the exception that should be thrown when an AntiforgeryToken isn't supplied, but is expected, only I get it when I hit the GET actions; the first time I'm visiting a page.

I've traced the behavior down to happen when I rebuild an app or redeploy it. For example, I was running my site on my local IIS server, then changed the settings to run in Cassini (obviously rebuilding, etc in the middle) and I got the error. Same thing when I scrapped a Orchard site and rebuilt it (in the same VS). Same when I redeployed a site I have on the web.

The solution I found was to clear my browser cookies, but it seems very odd that you'd get hit that error when doing a GET against an endpoint, or am I missing something?

+1  A: 

Are you positive that the action you are hitting is not decorated with [ValidateAntiForgeryToken] attribute? This exception is thrown only if you have the attribute.

Darin Dimitrov  2010-06-22 05:51:26
Positive. This is being hit on the GET side of a Create method. It has no ValidateAntiForgeryToken attribute on it, though the POST side does. this is also across a number of different applications.
Paul  2010-06-23 15:38:59
A: 

This is because the cookie is encrypted by different environments. Without specifying an machine key for encryption, .NET uses the one buried in machine.config.

To fix add a manual machine key definition in your web.config:

<system.web>    
<machineKey validationKey="stuff" decryptionKey="stuff" validation="SHA1" decryption="AES" />

Use this to generate one:

http://aspnetresources.com/tools/keycreator.aspx

jfar  2010-06-22 13:40:14
I'll give that a try, and mark answer when it works, thanks. I hadn't considered that.
Paul  2010-06-23 15:41:22
Worked, thanks for the tip!
Paul  2010-06-28 15:16:35

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data