Base solution for your next web application
Ends in:
01 DAYS
01 HRS
01 MIN
01 SEC
Open Closed

Empty or invalid anti forgery header token. #4432


User avatar
0
factura created

Hello,

Sometimes I'm being logged out due to the following exception:

<a class="postlink" href="https://domain.com/api/services/app/chat/GetUserChatFriendsWithSettings">https://domain.com/api/services/app/cha ... thSettings</a> 400 (Empty or invalid anti forgery header token.)

What is the solution to this problem. Project: ASP.Net MVC 5 and jQuery

Thanks in advance


3 Answer(s)
  • User Avatar
    0
    aaron created
    Support Team

    What did you do that causes that exception?

  • User Avatar
    0
    factura created

    Nothing. It happens suddenly

  • User Avatar
    0
    alper created
    Support Team

    When you restart IIS or app pool recycle, IIS can change machine key that's being used in generating/validating tokens. So if your MachineKey is set to AutoGenerate, then your verification tokens, etc won't survive an application restart - ASP.NET will generate a new key when it starts up, and then won't be able to decrypt the tokens correctly. My recommendations;

    1. Configuring a static MachineKey => <a class="postlink" href="https://msdn.microsoft.com/en-us/library/ms998288.aspx">https://msdn.microsoft.com/en-us/library/ms998288.aspx</a>
    2. Don't restart IIS! The best way to do this is by having a Load Balanced application, which will require you to set a static MachineKey.

    Actually these are subjects and general issues of Asp.Net & IIS.