Join us this Friday for AI in Action at the Virtual Happy Hour! This free virtual event is open to all—enroll now on Academy and don’t miss out.
Join us this Friday for AI in Action at the Virtual Happy Hour! This free virtual event is open to all—enroll now on Academy and don’t miss out.
That's a protection vs cross site request forgery. Basically what happens is that you are probably re-posting the form but the anti-forgery token validation then says that the token doesn't match the user it was created for (session timeout). So I would say it's working as intended.
To avoid it you can redirect a logged out user to start page or reload the page since this will restart the session and give you a new valid cookie for antiforgery token.
It sounds strange that if a user starts filling out a form, takes a break for an hour, and comes back, the page fails?
Daniel: you say we can reload the page, but when we reload the page, the error happens.
You should be able to reload using a GET? (similar to open same address in new tab). If you reload using a POST (resending form data) it will trigger the validation of antiforgery token. Haven't tested it though but that is as it should work at least. The validation is to protect logged in users. If it didn't exist I could create posts as another logged in users with a little effort and a fake site.
What you can do is have a javascript that sends user to startpage after x mins of inactivity / session timeout and force them to login again. This will avoid the problem with session timing out and the token becoming invalid on the forms page.
For sites without login I guess it should be possible to remove the antiforgery check. Don't see why it's needed then. Haven't tested if that is possible with Episerver Forms out of the box though
As it is a protection against XSRF attacks, also for anonymous users, I would not advice to remove it. You could catch the exception and handle it in a way that's user friendly, e.g. showing a message that explains that they need to fill in the form again due to inactivity
Hi!
We are working on styling Epi Forms, and therefore we are keeping the form in the browser for a long time - say 1 hour. If we then reload the page, we get an error message saying something about the antiforgerytoken not being valid. If we load the same page in a new tab, everything is ok. Is this a bug in epi forms, or is there something we can do to fix it?