MVC AntiForgery Token error

Question

I am wondering how I should be handeling the following error/issue. I have a form that is getting submitted and on that form I am using AntiForgery token. The purpose of the form is to login to the site.

In the view I have:

<%: Html.AntiForgeryToken()%>

The controller reads:

[HttpPost]
[HandleError(ExceptionType = typeof(HttpAntiForgeryException),Master = "MasterLogin", View = "Login")]
[ValidateAntiForgeryToken]
public ActionResult Login(LoginPresentation model, string returnUrl)
{
    //do stuff
}

It works really well for the most part. Expect for the following case.

• I login to the site
• Logout of the site
• Clear my cache
• Attempt to authenticate

When I try to login I get the following error: The required anti-forgery cookie "__RequestVerificationToken_L1NTSS5NZW1iZXJzaGlwLlBvcnRhbA2" is not present.

How should I be dealing with this?

Answer 1

Just make sure that every request that is sent towards an action decorated with the ValidateAntiForgeryToken attribute is made via HTTP POST and it comes from a form that has a hidden input containing the required token. It can be generated using Html.AntiForgeryToken() and it looks like this:

<input name="__RequestVerificationToken" type="hidden" value="some value" />

The token associated with the form is also stored as a cookie on the client machine, so when you submit the form, the ValidateAntiForgeryToken filter checks the following:

• The incoming request has a cookie called __RequestVerificationToken
• The incoming request has a Request.Form entry called __RequestVerificationToken
• These cookie and Request.Form values match

read more here .