The anti-forgery cookie token and form field token do not match in MVC 4

I’m using the default login module in ASP.NET MVC 4. I did not change any code in the default application and i hosted it on a shared server.

After i logged in using default login page. i kept the browser idle for some time. Then obviously application redirected to the login page when i try to perform any controller action with [Authorize] attribute.

Then i try to login again and it gives an error when i click on login button.

The anti-forgery cookie token and form field token do not match.

enter image description here

LogIn action

// POST: /Account/Login

        [HttpPost]
        [AllowAnonymous]
        [ValidateAntiForgeryToken]
        public ActionResult Login(LoginModel model, string returnUrl)
        {
            if (ModelState.IsValid && WebSecurity.Login(model.UserName, model.Password, persistCookie: model.RememberMe))
            {
                return RedirectToLocal(returnUrl);
            }

            // If we got this far, something failed, redisplay form
            ModelState.AddModelError("", "The user name or password provided is incorrect.");
            return View(model);
        }

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

I resolved the issue by explicitly adding a machine key in web.config.

Note: For security reason don’t use this key. Generate one from https://support.microsoft.com/en-us/kb/2915218#AppendixA. Dont use online-one, details, http://blogs.msdn.com/b/webdev/archive/2014/05/07/asp-net-4-5-2-and-enableviewstatemac.aspx

 <machineKey validationKey="971E32D270A381E2B5954ECB4762CE401D0DF1608CAC303D527FA3DB5D70FA77667B8CF3153CE1F17C3FAF7839733A77E44000B3D8229E6E58D0C954AC2E796B" decryptionKey="1D5375942DA2B2C949798F272D3026421DDBD231757CA12C794E68E9F8CECA71" validation="SHA1" decryption="AES" />

Here’s a site that generates unique Machine Keys:

http://www.developerfusion.com/tools/generatemachinekey/

Method 2

Another reason for having this error is if you are jumping between [Authorize] areas that are not cached by the browser (this would be done on purpose in order to block users from seeing protected content when they sign out and using the back button for example).

If that’s case you can make your actions non cached, so if someone click the back button and ended up on a form with @Html.AntiForgeryToken() the token will not be cached from before.

See this post for how to add [NoCache] ActionFilterAttribute:
How to handle form submission ASP.NET MVC Back button?

Method 3

make sure you put the @Html.AntiForgeryToken() in your page’s form

Method 4

I had this problem for a long time and assumed it was something wrong with ASP.NET.

In reality, it was the server. I was with WinHost then, and they have a 200MB memory limit. As soon as I had ~20 users on at the same time, my limit was reached. At this point, everyone was logged out and yielded these issues.

Method 5

For me, this was caused by submitting a form using a button tag. Changing this to an input submit tag resolves the issue.

Method 6

In My case “We found that the Site cache was enabled and due to this “anti-forgery” token value was not updating every time, after removing this cache
form is submitting.”

Method 7

In my case it was related to multiple cookie values set by domain site and subdomain site.

  • main.com set __RequestVerificationToken = 1
  • sub.main.com set __RequestVerificationToken = 2

but when request to sub.main.com was sent it used __RequestVerificationToken = 1 value from main.com


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x