10

I've got an MVC web app on azure, and a couple of hundred times a day, I get an The required anti-forgery cookie "__RequestVerificationToken" is not present. in my unhandled exceptions logs.

I've set everything up correctly, my action method has the [ValidateAntiForgeryToken].

I can see from looking at the exception details that the token was present in the form, but the cookie was not present.

Anyone know what might cause this?

Here's the error in full.

System.Web.Mvc.HttpAntiForgeryException (0x80004005): The required anti-forgery cookie "__RequestVerificationToken" is not present.
   at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
   at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext)
   at System.Web.Helpers.AntiForgery.Validate()
Matt Roberts
  • 26,371
  • 31
  • 103
  • 180
  • 1
    Matt, have you found a solution to this problem? I get these errors occasionally as well. – mai Mar 23 '16 at 15:46
  • @MarkA - Might be some web crawlers / bots? A reversed DNS lookup with the IP's that caused this exceptions might help you to find the cause. – Shiffty Jul 12 '16 at 12:47
  • No. It's not crawlers. It happens on a few most commonly accessed pages, which are accessible only to authenticated users. – mai Jul 12 '16 at 13:03
  • Is this coming from `
    ` submit actions, or from Ajax requests (and which lib do you use), or both?
     – Peter B Jul 14 '16 at 08:53
  • @PeterB in my case from `
    ` submit actions.
     – mai Jul 14 '16 at 11:02
  • Matt, see if this helps: http://stackoverflow.com/questions/30971260/the-required-anti-forgery-cookie-requestverificationtoken-is-not-present-mv – Gabriel Ferrarini Jul 14 '16 at 11:23
  • Or see this: http://stackoverflow.com/questions/15788912/deploying-antiforgerytoken-error – Peter B Jul 14 '16 at 11:25
  • Aren't you sending too many cookies to client ? Clients have limit in size of cookies they can accept. – Ondrej Svejdar Jul 18 '16 at 11:35
  • @OndrejSvejdar It's difficult to find any up to date info on the cookies size in modern browsers. I know that Chrome supports [at least 3000 cookies](https://codereview.chromium.org/118011/patch/5/1003) . In our case in some instances we send about 150 cookies which I assume is less than modern browsers can handle. I'm looking into this now anyway. – mai Jul 18 '16 at 13:09
  • Looking at IIS logs I've noticed that some cookies have been replaced with ellipsis. According to [this](https://support.microsoft.com/en-us/kb/2809913) IIS truncates fields that are bigger than 4096 bytes. So @OndrejSvejdar you might be onto something here. – mai Jul 18 '16 at 13:30
  • @OndrejSvejdar good news! Thank you, that was it! I strongly suggest you post your answer. When the client's browser reaches the limit, some data is deleted from cookies. We have an old asp.net app where some legacy javascript code was creating a new cookie each time user accessed particular page with 1 year expiry time. – mai Jul 18 '16 at 15:31

2 Answers2

3

This can be caused by many issues. Things that can cause the issue:

  • Bots or clients without enabled cookies
  • Too many cookies being created on client (there is only so many cookies browser can handle per domain) and AntiForgeryCookie ends up being removed
Ondrej Svejdar
  • 21,349
  • 5
  • 54
  • 89
  • Although that seems to have helped others, for me, that's not the answer :( We use a minimal amount of cookies, and it's not a bot. I don't think the token that's generated is going to exceed the 4096 size either – Matt Roberts May 02 '17 at 15:13
0

main problem is your client cookie issue at first clear browser cache then check , i think then your problem will be solve

tapos ghosh
  • 2,114
  • 23
  • 37