Why does HttpAntiForgeryException occur randomly even with a static Machine Key?

asp.net-mvc exception azure antiforgerytoken
Dario Solera picture Dario Solera · Mar 29, 2012 · Viewed 16.1k times · Source

We have an ASP.NET MVC 2 (.NET 4) application running on Windows Azure (latest 2.x OS version) with two web role instances.

We use the anti-forgery token supplied by MVC for all POST requests, and we have set a static Machine Key in web.config, so everything works on multiple machines and across restarts. 99.9% of the cases it works perfectly.

Every now and then, however, we log a HttpAntiForgeryException, with message "A required anti-forgery token was not supplied or was invalid."

I know the problem might be cookies not being allowed in the browser, but we've verified that and cookies are enabled and being sent back and forth correctly.

The error occurs with a variety of browsers and obviously causes problems to the users because they have to repeat the operation or they can lose some data. Suffice it to say, we haven't been able to reproduce the problem locally, but it only happens on Windows Azure.

Why is that happening? How can we avoid it?

Answer

Ed Hintz picture Ed Hintz · May 11, 2012

I ran into this recently as well and found two causes.

1. Browser restores last session on open for page that is cached

If you have a page that is cachable that performs a post to your server (i.e. antiforgery will be on) and the user has their browser set to restore last session on start up (this option exists in chrome) the page will be rendered from cache. However, the request verification cookie will not be there because it is a browser session cookie and is discarded when browser is closed. Since the cookie is gone you get the anti-forgery exception. Solution: Return response headers so that the page is not cached (i.e. Cache-Control:private, no-store).

2. Race condition if opening more than one tab on start up to your site

Browsers have the option to open a set of tabs at start up. If more than one of these hit your site that returns a request verification cookie you can hit a race condition where the request verification cookie is overwritten. This happens because more than one request hits your server from a user that does not have the request verification cookie set. The first request is handled and sets the request verification cookie. Next the second request is handled, but it did not send the cookie (had not been set yet at request time) so the server generates a new one. The new one overwrites the first one and now that page will get an antiforgery request exception when it next performs a post. The MVC framework does not handle this scenario. This bug has been reported to the MVC team at Microsoft.

Related questions

MaxJsonLength exception in ASP.NET MVC during JavaScriptSerializer

In one of my controller actions I am returning a very large JsonResult to fill a grid. I am getting the following InvalidOperationException exception: Error during serialization or deserialization using the JSON JavaScriptSerializer. The length of the string exceeds the …

Read More
Why is this code throwing an InvalidOperationException?

I think that my code should make the ViewBag.test property equal to "No Match", but instead it throws an InvalidOperationException. Why is this? string str = "Hello1,Hello,Hello2"; string another = "Hello5"; string retVal = str.Split(",".ToCharArray(), StringSplitOptions.RemoveEmptyEntries) .First(…

Read More
I'm getting a "Does not implement IController" error on images and robots.txt in MVC2

I'm getting a strange error on my webserver for seemingly every file but the .aspx files. Here is an example. Just replace '/robots.txt' with any .jpg name or .gif or whatever and you'll get the idea: The controller …

Read More