Empty or invalid anti forgery header token. #4432

factura created 6 years ago

Hello,

Sometimes I'm being logged out due to the following exception:

<a class="postlink" href="https://domain.com/api/services/app/chat/GetUserChatFriendsWithSettings">https://domain.com/api/services/app/cha ... thSettings</a> 400 (Empty or invalid anti forgery header token.)

What is the solution to this problem. Project: ASP.Net MVC 5 and jQuery

Thanks in advance

3 Answer(s)

0

aaron created 6 years ago
Support Team

What did you do that causes that exception?
0

factura created 6 years ago

Nothing. It happens suddenly
0
alper created 6 years ago
Support Team
When you restart IIS or app pool recycle, IIS can change machine key that's being used in generating/validating tokens. So if your MachineKey is set to AutoGenerate, then your verification tokens, etc won't survive an application restart - ASP.NET will generate a new key when it starts up, and then won't be able to decrypt the tokens correctly. My recommendations;

Configuring a static MachineKey => <a class="postlink" href="https://msdn.microsoft.com/en-us/library/ms998288.aspx">https://msdn.microsoft.com/en-us/library/ms998288.aspx</a>

Don't restart IIS! The best way to do this is by having a Load Balanced application, which will require you to set a static MachineKey.

Actually these are subjects and general issues of Asp.Net & IIS.

Have an answer to this question? Log in and write your answer.