Try our conversational search powered by Generative AI!

AntiForgery validation errors


We've copied a complete setup of an R2 site, and are running the two sites on the same server. Pretty much only changed to a separate database, another siteId, another License.config and on another url. We're having lots of trouble logging into the new site, and we're seeing some AntiForgery validation errors in the logfiles:

2011-05-11 15:08:57,561|The required cookie __epiAntiForgeryToken_ZG9scGhpbmZkYi5la2xp has not been set in the request, either there is an invalid posting or the request has been forged[Client IP: x.x.x.x, Referer: http://x.x.x/xxLogin.aspx?ReturnUrl=/helhetslosningar/, Url: http://x.x.x.x/xxLogin.aspx?ReturnUrl=/, User: ]
2011-05-11 15:08:57,561|1.2.5 Unhandled exception in ASP.NET
System.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> EPiServer.Core.EPiServerException: This request has probably been tampered with. Close the browser and try again.
   at EPiServer.Web.PageExtensions.AntiForgeryValidation.ThrowForgeryException(String logMessage, String[] param)
   at EPiServer.Web.PageExtensions.AntiForgeryValidation.PreInit(Object sender, EventArgs e)

Any ideas why this new antiforgery stuff fails? How is the antiforgery token secret generated?



May 11, 2011 15:21

Did you figure out the reason ?

The error message indicates that the cookie is missing on postback, it should automatically be generated on a GET request.


May 16, 2011 10:12

No I didn't. I had to disable the antiforgery plugin.

I could see that the cookie was missing sometimes, very strange. Haven't had time to investigate further.

May 16, 2011 12:52

I'm having this exact same problem. Seems to occure during Composer editing. For some reason the cookie seems to disappear, 'cause the site prompts for a new login, and then that exact same error occurs.

Oct 11, 2011 16:36

Any solution? I am getting this error in the log as well. Its CMS 6 R2 no Composer. Load balancing setup?

Mar 13, 2012 12:29

Anyone? Having the same issue on a newly uppgraded site, CMS5 R2 to CMS6 R2 (no composer, enterprise setup). 

Jun 19, 2012 13:58

You could try setting requestValidation to "2.0" if you're running the site on ASP.NET 4?

Should look something like this in web.config:

<httpRuntime requestValidationMode="2.0" />

Not sure if that's what's causing it, but worth a shot. ;)

Jun 19, 2012 14:02

Site are running ASP.NET 3.5, disable AntiForgeryValidation?

Jun 19, 2012 14:50

When running more than one site agains the same database then the same machine key has to be used on both sites.

This is what solved it for me

Jun 21, 2012 9:29

We have been getting this issue in a secured CMS / Composer / Relate Intranet that uses a federated authentication process. Interestingly, it only happens from computers behind the clients firewall and remote access. It does not happen when using a browser that connects directly via the federated authentiation process. I think we'll simply disable it, since the site is already highly secure and all users must be authenticated via the federated system.

Mar 22, 2013 3:16
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.