Error: Cross-site request forgery detected on version 9.12


Hi, we've updated to version 9.12 from 9.4 (we will update to newer versions in following weeks), and when editing a document the Dojo UI stops working and the browser console shows this message: "Unable to load /EPiServer/cms/Stores/contentdata/1388457_1636022 status: 500".

Investigating I've found the issue is present in these 2 calls made by the Dojo UI:

On the server side the exception is the following (I've replaced sensible data with *):

Cross-site request forgery detected [Client IP: 2.229.**.**, Referer: http://epistaging.**.it:81/EPiServer/Cms/, Url: http://epistaging.**.it:81/EPiServer/cms/Stores/contentversion/, User: IIS APPPOOL\appBeta.**.it]
System.InvalidOperationException: This request has probably been tampered with. Close the browser and try again.
in EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException()
in EPiServer.Shell.Services.Rest.RestHttpHandler.ValidateAntiForgeryToken(HttpContextBase httpContext)
in EPiServer.Shell.Services.Rest.RestHttpHandler.GetController(HttpContextBase httpContext)
in EPiServer.Shell.Services.Rest.RestHttpHandler.BeginProcessRequest(HttpContextBase context, AsyncCallback callback, Object extraData)
in EPiServer.Shell.Services.Rest.RestHttpHandler.BeginProcessRequest(HttpContext context, AsyncCallback cb, Object extraData)
in System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
in System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
in System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)


  • Please note that the Referer and the Url are the same, so it would not be a Cross-Site request.
  • I've tried to disable the AntiForgeryValidation module in the Plug-in Manager but the excetpion still throws.
  • On my development environment the error is not present and everything is ok. The issue is present only on staging environment which has nothing different from development enviroment except from the name of the domain (same configurations, they also connect to the same Db)

Any help is very welcomed

Thanks, Andrea

Mar 06, 2020 7:34

Hi Andrea,

Have you tried and closed ALL your browser windows (as the message suggests) and then access edit, does it still give this exception?

Also what you can do is look at your cookies for the site, find the cookie __epiXSRF and delete it, log out and login, still same error. I've had this similiar issue in the past and on one site it got fixed by just closing all broswer windows, starting new browser instance (as this should automatically clear the __epiXSRF cookie as it is set per session) and on another one i deleted the cookie myself and logout/login (the cookie gets set during login). 

Mar 06, 2020 17:39

Hi Antti, thanks for help. I've tried what you suggest but I still got the error.
Because in development environment everything is ok but in the staging environment I've got the issue, I've just erased completely the staging environement and re-installed it from zero: new IIS application, new restored database, everything.
Now the issue is gone.

Mar 09, 2020 10:41
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.