ASP.NET MVC 3 web site anti-forgery token fails only on IE

Asked 22/12, 2011 at 13:11 Answered 21/1, 2014 at 16:15

In my MVC 3 project i have a login page that uses the anti-forgery logic built into MVC 3.

On Firefox & Opera it works just fine, but on IE I get this:

A required anti-forgery token was not supplied or was invalid.

I'm really stumped on why only IE suffers this, I checked the cookie settings and they are set the same as the other browsers so I'm at a lost here.

When I use the anti forgery code, I use both a SALT and the domain check (which shouldn't matter but worth telling).

Here is the view code:

@model login.Models.LogOnModel

@{
    ViewBag.Title = "Log On";
}

<script src="@Url.Content("~/Scripts/jquery.validate.min.js")" type="text/javascript"> </script>
<script src="@Url.Content("~/Scripts/jquery.validate.unobtrusive.min.js")" type="text/javascript"></script>

<script type="text/javascript">
$(function () {
    //focus on form.
    $("#UserName").focus();
});
</script>

 @using (Html.BeginForm("LogOn", "Account", FormMethod.Post, new { @class = "form login" })) {
@Html.AntiForgeryToken("!@#Hq4(", ViewBag.AppDomain, "/")
<div id="box">
<h1>Login</h1>
Please enter your username and password. @Html.ActionLink("Register", "Register") if you don't have an account.
<div class="block" id="block-login">
    <h2>
        Login Form</h2>
    <div class="content login">
              @Html.ValidationSummary(true)
        <div class="group buffer">
            <div class="left">
                <label class="label right">
                    @Html.LabelFor(m => m.UserName)</label>
            </div>
            <div class="right">
                @Html.TextBoxFor(m => m.UserName, new { @class = "text_field" })
                @Html.ValidationMessageFor(m => m.UserName)
            </div>
        </div>
        <div class="group buffer">
            <div class="left">
                <label class="label right">
                    @Html.LabelFor(m => m.Password)</label>
            </div>
            <div class="right">
                @Html.PasswordFor(m => m.Password, new { @class = "text_field" })
                @Html.ValidationMessageFor(m => m.Password)
            </div>
        </div>
        <div class="group buffer">
            <div class="left">
                <label class="label right">
                    @Html.LabelFor(m => m.RememberMe)</label>
            </div>
            <div class="right">
                @Html.CheckBoxFor(m => m.RememberMe)
            </div>
        </div>
        <div class="group navform buffer">
            <div class="right">
                <button class="button" type="submit">
                    <img src="@Url.Content("~/Content/images/icons/key.png")" alt="Save" />
                    Login
                </button>
            </div>
        </div>
    </div>
</div>
</div>
}

ViewBag.AppDomain is a value from web.config for easy setting during testing and production usage.

If I remove the domain and path portion from the antiforgery tag, it works just fine. So one of those two must be the problem.

Poser answered 22/12, 2011 at 13:11 Comment(6)

Hi, what version of IE are you using? – Schreibman 22/12, 2011 at 16:8

Are you able to (either using IE's dev tools, Firebug Lite or Fiddler) find out if your POST request is sending the AntiForgery cookie back? – Trophoplasm 22/12, 2011 at 16:9

i did not use any dev tools, i have some for opera and firefox though. I'm using IE 9. – Poser 22/12, 2011 at 16:11

Do you have cookies enabled in IE? – Compost 22/12, 2011 at 16:12

@php-jquery-programmer You can open IE9's built-in Dev tools by pressing F12 on your keyboard. Alternatively use Firebug Lite – Trophoplasm 22/12, 2011 at 16:12

yes i do, i said that in my original post, all my browsers have the same cookie settings. I'll try the F12 editor. – Poser 22/12, 2011 at 16:16

Not my favorite idea, but until I can figure this out I took out the domain and path parameters which makes IE happy.

If anyone has a suggestion, I'm open, but for now I'll settle with just salting the token.

Thank you everyone for your help.

Poser answered 22/12, 2011 at 17:50 Comment(2)

Can you explain what you mean by took out the domain and path parameters? On what? I'm having this issue and am unable to resolve it so far. – Unbent 14/3, 2014 at 16:3

on the controller, you can set the domain via an attribute, I removed it from there. I'd post code but this app was made way back and I've since moved on from it. – Poser 14/3, 2014 at 16:40

I had a similar problem like this when using a custom AntiCSRF token creator. I wasn't using MVC3 but it might be a similer issue.

The issue for me was that the domain name I was using locally for testing the site had an underscore in it. In theory a DNS name cannot have an underscore (even though a "computer name" can), so IE wasn't saving the cookies.

It may not be the same issue, but could be something related to a testing environment and the way cookies are hanlded by IE.

Here is a very interesting article about the internals of IE cookie handling which might help you uncover the issue.

http://blogs.msdn.com/b/ieinternals/archive/2009/08/20/wininet-ie-cookie-internals-faq.aspx

Schreibman answered 22/12, 2011 at 16:13 Comment(2)

my domain is just localhost during testing. – Poser 22/12, 2011 at 16:17

@php-jquery-programmer oh well worth a shot. You might find the link helpful it's got a load of other helpful tips. – Schreibman 22/12, 2011 at 16:25

I had the same problem as this in an MVC3 project built in VS2010 and viewed through IE 11 (it works fine in Firefox).

The way that I managed to get around it was by adding cookieless="UseCookies" to the "forms" element in the web.config file in the root directory:

<authentication mode="Forms">
  <forms loginUrl="~/Account/LogIn" timeout="2880" slidingExpiration="true" requireSSL="false" cookieless="UseCookies"/>
</authentication>

Handhold answered 21/1, 2014 at 16:15 Comment(2)

I'm using MVC4 in VS2012 and viewing in IE10. This doesn't seem to work for me. Do you know why this wouldn't work? It's a real brain twister. – Unbent 14/3, 2014 at 16:1

I haven't as yet done any work with MVC4 and VS2012 so I don't know if it handles this in a different way. Something else that you could try would be to make sure that the user is allowing cookies to be accepted for your website in order for the anti-forgery token to work. – Handhold 24/3, 2014 at 13:30