The required anti-forgery cookie “__RequestVerificationToken” is not present

I have had a problem with the AntiforgeryToken exception on an MVC4 website.

Everything was correctly configured i.e.

view code:

using (Html.BeginForm())
{
    @Html.AntiForgeryToken()
    //some code
}

 

Controller code:

[HttpGet]
[ValidateAntiForgeryToken]
public ActionResult Index()
{
    //some code
}

What made things worse was that only random users had this issue.

The problem turned out to be a poorly configured load balanced server, and the web.config setting

<httpCookies requireSSL="true" />

one server had a wild card SSL installed and the second server did not.

The result being that some users were being served by the server with the SSL installed with provided an encrypted cookie containing the anti-forgery token. Other users are served by the other server which was unable to provided the encrypted cookie.

Hence the anti-forgery token exception is thrown.

Add comment