Antiforgery token exception only when debugger is run
Asked Answered
E

1

4

I have an mvc2 app which is serving content through iframes. The iframed page is simply a form. It has a request validation token. Everything works well cross domain until a developer uses the Visual Studio 2005 debugger. As soon as they do, I get the following error details.

Exception: 
System.Web.Mvc.HttpAntiForgeryException : A required anti-forgery token was not supplied or was invalid.

Stack Trace:
at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext) 
at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor) 
at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)

Source:
System.Web.Mvc  

Location:
Void OnAuthorization(System.Web.Mvc.AuthorizationContext)

Url:
https://mydomain.com/Portal/Framed/NewQuickPay/yFkYAA!!-OSlvtw!!-4f560479-96f2-4578-8804-a757d4913f52


Path:
D:\Inetpub\wwwroot\Portal\

Referrer:
https://mydomain.com/portal/Framed/Index/yFkYAA!!-OSlvtw!!-4f560479-96f2-4578-8804-a757d4913f52/?amount=2861.43


Server Name:
/* OMITTED */   

IP Address:
/* OMITTED */

User Agent:
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; MDDR; .NET4.0C; .NET CLR 1.1.4322)

Is Authenticated:
False   

Http Method:
POST

Form Data
/* OMITTED */

__RequestVerificationToken  EoJfaqoiWFUnbJFIQQeXoCeUdtVKpfX7RB0LfUXoTzRbrwK3ZYr6ZjT2ldsNGqVuB+3Vtc3uiRZoJiF+VAi7v7kdEy/sCb6jI9stzTzz/hRh3emTzBh61W9+GkFlEkxEVID8Bg==

Cookies
/* NONE */

We have deleted all cookies, restarted the machine, restarted visual studio, and still the debugger causes this error.

I have added a declared machine key to the web.config. I'm not sure what else it could be. It happens only when the debugger is running, and they are using Visual Studio 2005.

Edelmiraedelson answered 14/3, 2011 at 20:24 Comment(1)
After further investigation, this issue is only happening in IE when run on windows 7. Chrome and firefox are fine.Edelmiraedelson
E
4

I found the answer. My content was being presented through a cross domain iframe. According to Adam Young, IE will automatically block third party cookies unless you define a P3P policy in the header.

I added code to inject the p3p policy into the header and just call it from each action that I use in my iframe. So far, we have not seen this error turn up. I hope this solution helps someone else.

public static void SetP3PCompactPolicy()
{
    HttpContext.Current.Response.AddHeader("p3p", 
    "CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\"");
}

I also defined a machine key, although I'm not sure that was necessary.

Edelmiraedelson answered 8/4, 2011 at 13:23 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.