Im using MVC 3 and everything is setup correctly from what I can see.
A user Authenticates submits a form with the AntiForgery Token and everything works fine.
That is unless the user has left the form to be submitted open and within that time that user login has expired.
When the user submits the form as they are no longer authenticated they should be taken back to the sign in page. (this does happen some times)
Instead the exception 'A required anti-forgery token was not supplied or was invalid.' is thrown. I imagine its being thrown because the encrypted token contains some of the user details which can not be verified as the user is no longer authenticated.
The exception is correct but should never been thrown as the page should of jumped back to the Log in screen as the real issue is the user walked away from an open form and his login timed out.
This problem is hard to replicate as it doesnt always do it.
I see a lot of people seem to be having this problem but no solutions are forthcoming.
Is this a problem within MVC itself?
Machine key setting and stuff are all correct so that isnt the issue.
The reason for this it seems is that in certain large organizations people leave their machines turned on without restarting and browsers open without shutting them down for a very very long time. Sometimes even weeks on end.
If the Machine key has been added at a later date or changed, the machines that have not been switched off or had the browser shut down are the ones causing this error. Once every machine has been rebooted or the browser shut down the error will stop.
Note: To stop this error its also important to create a machine key.
Google: machine key generator