I use @Html.AntiForgeryTokenOrchard() method to render the token. I get this error when submiting a form. The site is on Azure Web. When I use the original site name xxxx.azurewebsites.net the token works. Only, when I use the mapped domain name I get this error. The error is regardless of the browser, however if I force updating the site (CTRL+F5) and post the form, the token works. If I open a new incognito browser window it fails again for the new session.
I have the machine key configured in web.config.
Please, help me to get rid of this annoying bug. Any help is appreciated. Thanks.
You can't have both anti-forgery and caching, on the same form, because the anti-forgery token is not reusable and is part of the response. As a consequence, you need to choose between them. Any form that has information that shouldn't be possible to forge (and that's almost any form) should have anti-forgery on. So the default solution should be to disable caching, using the [OutputCache]
attribute on the controller action that renders the form. If you prefer caching over anti-forgery, anti-forgery can now be turned off action by action, using the [ValidateAntiForgeryTokenOrchard]
attribute on the action that is the target of the form.
But again, disabling caching should be preferred.