Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!



Trying to set up an EPiServer 7 site with MVC. And everything has gone alright until i tried to create a Group in the Admin interface.

After clicking on the "Add"-button I receive:

Server Error in '/' Application.

This request has probably been tampered with. Close the browser and try again. 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.InvalidOperationException: This request has probably been tampered with. Close the browser and try again.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 

[InvalidOperationException: This request has probably been tampered with. Close the browser and try again.]
   EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException() +395
   System.EventHandler.Invoke(Object sender, EventArgs e) +0
   System.Web.UI.Page.PerformPreInit() +49
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1844

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.17929 

This is on an develper machine. Where have I gone wrong?

Nov 20, 2012 14:21

How have you set up the project? There seems to be a problem with the anti forgery if you don't run your site on a FQDN.

A typical case is that you run your site on http://mysite or just http://localhost. If you add a port number it seems to work. Can have something to with old cookies to0, try to clear em'.

Edited, Nov 20, 2012 15:10

What causes that exception to be thrown is if the token put in the form and the token put in a cookie don't "match".


If we assume that neither the form data nor the cookies have been intentionally changed/removed it seems most likely that it's the cookie that has been overwritten or something along those lines.


It's quite possibly related to what Johan was hinting at considering that cookies (in general) are scoped by domain (no port) and path.

Nov 20, 2012 15:38

Thanks for your replys!

I started with host "episerver7mvc" (port 80). Changed it to  "episerver7mvc" (port 17033) and that did not work either. Tried "" (port 17033) and that don't work either.

Can it be that I first created an empty EPiServer 7 site and then created an ASP.NET MVC 4 web application. Copied over the web application to the EPiServer site (without Global.* and Web.* files). Is there any other way to install that don't cause this problem?

I have emptied cookies from my browser as well, with no luck...

Nov 20, 2012 15:48

Not sure it matters for this, but does the siteUrl setting match your IIS host settings?

Nov 20, 2012 15:57

Yes they do.

Checked the cookies created when going into the admin-interface and there are none except ASP.NET_SessionId. Shouldn't there be a few others, like authtoken?

Can this be related to that I have uncommented the <authorization> element in web.config in order to get into EPiServer admin and create groups and roles for the first time?

Edited, Nov 20, 2012 16:01

It seems that when you don't use the login form the necessary cookies are not set. I created the Groups by using the "ASP.NET Configuration" to create the WebAdmins group and an admin user. Then I loged in the usual way and now I can create aditional groups in the admin interface.

Nov 21, 2012 10:03

If you use http and you have following line in your config

<httpCookies httpOnlyCookies="true" requireSSL="true"/>

just remove requireSSL attribute.

Feb 15, 2017 0:35
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.