cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

'The anti-forgery token could not be decrypted' error in App Broker WebsiteMVC.log

I'm getting an error daily in our websitemvc.log about anti-forgery.  I've look at the web.config file under <system.web> and we have the machine key, decryption key and validation key listed.

In IIS the machine key is configured as auto generated at run time - I'm attaching a screenshot of the configuration.  

Would we be getting these errors because something has changed within our environment that I'm not aware of?  I can't seem to find a reason for the error.

Error: The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
at System.Web.Helpers.AntiXsrf.AntiForgeryTokenSerializer.Deserialize(String serializedToken)
at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext)
at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass21.<BeginInvokeAction>b__19(AsyncCallback asyncCallback, Object asyncState)

Error: The required anti-forgery form field "__RequestVerificationToken" is not present

 

(1) Solution

We have only really seen this error when the browser session has ended and the user is still trying to make a request. You can typically avoid this error by asking the users to either start a new browser session or refresh the page then make the request or click the next button. This ensures that a new session is started and the request verification token is present.

View solution in original post

(2) Replies

We have only really seen this error when the browser session has ended and the user is still trying to make a request. You can typically avoid this error by asking the users to either start a new browser session or refresh the page then make the request or click the next button. This ensures that a new session is started and the request verification token is present.

Thank you. Is there a way to determine what user could have the browser session still open?  The logs don't provide a user name and the times when this occurs aren't timestamped close to a machine name.

Top Kudoed Authors