asp.net mvc - MVC anti-forgery token -
i've got public mvc 5 web-site, using anti-forgery token. every day big number of errors logged in form of "the anti-forgery cookie token , form field token not match.", , lesser number in form of "the required anti-forgery cookie "__requestverificationtoken" not present.".
the problem not reproducible, occurs different people on different pages @ different times. closing browser resolves problem - using button , re-trying resolves problem.
as website works vast bulk of users, can rule out missing validateantiforgerytoken attributes in controllers, likewise, can rule out missing or duplicate @html.antiforgerytoken() code in views.
the website runs on single server, can rule out different machinekeys in web.config (i've tried running website , without setting anyway).
the application pool set restart each night, , there's plenty of spare resource on server, can rule out application pool restarting , invalidating sessions (especially isn't logged in event log or anywhere else).
i've nail problem - have cookies enabled, can rule out cookies beingness disabled. can rule out javascript beingness disabled, user's can progress far site without js - , errors occur on pages beyond point.
i've disabled caching, setting nocache, nostore etc. seemed cut down occurrence of issue, still persisted (i had re-enable caching variety other reasons).
what other options there consider?
i frustrated considering turning off anti-forgery protection , contributing global weakening of security.
make sure have antiforgery attributes both in controller , forms.
if doing ajax post maybe can send requestvalidationtoken parameter.
$('input[name=__requestverificationtoken]').val()
also maybe attacking site or using bots content or post forms.
asp.net-mvc cookies antiforgerytoken
No comments:
Post a Comment