views:

326

answers:

2

I'm occasionally getting this error during normal use, and I've not found a way to stop it without removing the attribute that requires the token, which I'd rather not do.

I've gotten this bug during my own testing (but seemingly randomly) and I know from my logging that actual logged-in users are getting it as well.

Does anyone know what would cause the antiforgerytoken system to break (other than a real attack), and how I could fix this without opening up a security hole in my forms?

Thanks!

A: 

Read the section here on limitations

prevent cross site request forgery

Jason Watts
No it's all set up correctly. The error happens rarely, once a week or so and occasionally during heavy testing.
Dave K
Thanks Jason, I'll give it a read.
Dave K
the only think i saw in there that's any different from what i've implemented is, they show this:<% using(Html.Form("UserProfile", "SubmitUpdate")) { %> <%= Html.AntiForgeryToken() %> <!-- rest of form goes here --><% } %>while i commonly implemented this:<% using(Html.Form("UserProfile", "SubmitUpdate")) { %> <!-- rest of form goes here --><%= Html.AntiForgeryToken() %><% } %>since this is a form post, i didn't think it would matter, and i still don't. but at this point i'll change anything to make it work.
Dave K
stackoverflow should allow code blocks in comments - anyway the point is that i had the token field at the end instead of at the beginning of the form. now it's at the beginning.
Dave K
A: 

Make sure that your ~/Web.config has a <machineKey> section and that you're setting the key from within that section. The anti-XSRF system requires this to be present.

Levi
I've already done this during my last attempt to fix this problem. It didn't help, but theoretically this was a necessary step. Thanks
Dave K
If you have access to your machine's event log, can you check it for any entries that are occurring at around the same time as the anti-XSRF invalid exception? For example, do these happen immediately after an AppDomain restart, etc.?
Levi
I'll look into this Levi, another interesting thought. Not sure if it's session expiration or appdomain restart at this point - both suggestions seem plausible. thanks again!
Dave K