AntiForgery validation errors

Vote:
 

We've copied a complete setup of an R2 site, and are running the two sites on the same server. Pretty much only changed to a separate database, another siteId, another License.config and on another url. We're having lots of trouble logging into the new site, and we're seeing some AntiForgery validation errors in the logfiles:

2011-05-11 15:08:57,561|The required cookie __epiAntiForgeryToken_ZG9scGhpbmZkYi5la2xp has not been set in the request, either there is an invalid posting or the request has been forged[Client IP: x.x.x.x, Referer: http://x.x.x/xxLogin.aspx?ReturnUrl=/helhetslosningar/, Url: http://x.x.x.x/xxLogin.aspx?ReturnUrl=/, User: ]
2011-05-11 15:08:57,561|1.2.5 Unhandled exception in ASP.NET
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> EPiServer.Core.EPiServerException: This request has probably been tampered with. Close the browser and try again.
   at EPiServer.Web.PageExtensions.AntiForgeryValidation.ThrowForgeryException(String logMessage, String[] param)
   at EPiServer.Web.PageExtensions.AntiForgeryValidation.PreInit(Object sender, EventArgs e)

Any ideas why this new antiforgery stuff fails? How is the antiforgery token secret generated?

Thanks,

Thomas

#50746
May 11, 2011 15:21
Vote:
 

Did you figure out the reason ?

The error message indicates that the cookie is missing on postback, it should automatically be generated on a GET request.

 

#50856
May 16, 2011 10:12
Vote:
 

No I didn't. I had to disable the antiforgery plugin.

I could see that the cookie was missing sometimes, very strange. Haven't had time to investigate further.

#50874
May 16, 2011 12:52
Ted
Vote:
 

I'm having this exact same problem. Seems to occure during Composer editing. For some reason the cookie seems to disappear, 'cause the site prompts for a new login, and then that exact same error occurs.

#54360
Oct 11, 2011 16:36
Vote:
 

Any solution? I am getting this error in the log as well. Its CMS 6 R2 no Composer. Load balancing setup?

#57384
Mar 13, 2012 12:29
Vote:
 

Anyone? Having the same issue on a newly uppgraded site, CMS5 R2 to CMS6 R2 (no composer, enterprise setup). 

#59607
Jun 19, 2012 13:58
Ted
Vote:
 

You could try setting requestValidation to "2.0" if you're running the site on ASP.NET 4?

Should look something like this in web.config:

<httpRuntime requestValidationMode="2.0" />

Not sure if that's what's causing it, but worth a shot. ;)

#59609
Jun 19, 2012 14:02
Vote:
 

Site are running ASP.NET 3.5, disable AntiForgeryValidation?

#59618
Jun 19, 2012 14:50
Vote:
 

When running more than one site agains the same database then the same machine key has to be used on both sites.

http://world.episerver.com/Blogs/Marco-ter-Horst--Mirabeau/Dates/2011/10/Load-balancing-EPiServer-CMS/

This is what solved it for me

#59681
Jun 21, 2012 9:29
Vote:
 

We have been getting this issue in a secured CMS / Composer / Relate Intranet that uses a federated authentication process. Interestingly, it only happens from computers behind the clients firewall and remote access. It does not happen when using a browser that connects directly via the federated authentiation process. I think we'll simply disable it, since the site is already highly secure and all users must be authenticated via the federated system.

#69110
Mar 22, 2013 3:16
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.