Search code examples
asp.netasp.net-mvcasp.net-mvc-4cookiesantiforgerytoken

Why __RequestVerificationToken in not found in Mono 4.2.2

ASP.NET MVC4 application uses cross-site forgery prevention according to MVC4 doc.

In form there is hidden variable

...

and cookie

Browsers posts cookie

__RequestVerificationToken

Post method hander is decorated with 

[HttpPost,ValidateAntiForgeryToken]

Attributes. https protocil is ised. It worked earlier. After application was upgraded in submitting form in some cases produces exception

    System.Web.Mvc.HttpAntiForgeryException
    The required anti-forgery cookie "__RequestVerificationToken" is not present.

Description: HTTP 500.Error processing request.
Details: Error processing request.
Exception stack trace:
  at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens (System.Web.HttpContextBase httpContext, IIdentity identity, System.Web.Helpers.AntiXsrf.AntiForgeryToken sessionToken, System.Web.Helpers.AntiXsrf.AntiForgeryToken fieldToken) <0x4098fc20 + 0x003af> in <filename unknown>:0 
  at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate (System.Web.HttpContextBase httpContext) <0x4098e540 + 0x00092> in <filename unknown>:0 
  at System.Web.Helpers.AntiForgery.Validate () <0x4098e490 + 0x0006f> in <filename unknown>:0 
  at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization (System.Web.Mvc.AuthorizationContext filterContext) <0x4098e420 + 0x0002b> in <filename unknown>:0 
  at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters (System.Web.Mvc.ControllerContext controllerContext, IList`1 filters, System.Web.Mvc.ActionDescriptor actionDescriptor) <0x41389eb0 + 0x00097> in <filename unknown>:0 
  at System.Web.Mvc.Async.AsyncControllerActionInvoker+<>c__DisplayClass25.<BeginInvokeAction>b__1e (System.AsyncCallback asyncCallback, System.Object asyncState) <0x4138957

how to fix this so that Request Verification Token can used?

Solution

  • From you description, you are telling Action method to check the token but your form is not sending it, hence the missing __RequestVerificationToken

    __RequestVerificationToken is generated by calling helper method @Html.AntiForgeryToken() in form

    For example:

    @using (Html.BeginForm("Manage", "Account")) { @Html.AntiForgeryToken() }

    for more info, please see: http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-csrf-attacks