The required anti-forgery cookie "__RequestVerificationToken" is not present.
I have added in cshtml and in Controller also
using (Html.BeginForm())
{
#Html.AntiForgeryToken()
//some code
}
[HttpGet]
[ValidateAntiForgeryToken]
public ActionResult Index()
{
using (var db = new SampleEntities())
{
return View(db.Rfps.ToList());
}
}
In my case, I had this in my web.config:
<httpCookies requireSSL="true" />
But my project was set to not use SSL. Commenting out that line or setting up the project to always use SSL solved it.
The issue is because you are using a ValidateAntiForgeryToken attribute on a GET request.
You don't need to use this attribute for GET actions. Look here for more information:
In my case, it was because I ran another Asp.Net website before. So the cookies could not match for localhost.
I cleared my cookies (just for localhost) and everything is fine now.
Related
As I have deployed my newly created Asp.Net MVC web application to the server, I am facing the subject error, upon submitting a sign-up form. It is working fine in my local environment.
In my controller's action method, I have set the attribute to validate the token as shown below:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Register(RegisterViewModel model)
{
////
}
And in my view, I have set as:
#using (Html.BeginForm("Register", "Account", FormMethod.Post, new { #class = "form-horizontal", role = "form" }))
{
#Html.AntiForgeryToken()
}
////
)
One more thing is that I have enabled SSL on my project properties. I have also added <httpCookies httpOnlyCookies="true" requireSSL="true"/> in my web.config file.
While inspecting, I can see the hidden element <input name="__RequestVerificationToken" type="hidden" value="blaa blaa>", but i cannot see any cookie present there.
After hours of troubleshooting, I am still unable to find a solution to this problem. I am always getting error The required anti-forgery cookie "__RequestVerificationToken" is not present.
How to get rid of this?
I myself has find the answer to this question. In my case, as I have set SSL to true, I need to have a security certificate. So, I purchased and configured the certificate on my hosted site and the error has gone.
When navigating to http://localhost:62030/Home/About and the Home controller includes the [Authorize] attribute the app correctly returns a 302 redirect to http://localhost:62030/Account/Login but w/o a ReturnUrl instead of http://localhost:62030/Account/Login?ReturnUrl=%2FHome%2FAbout
This seems to have started recently however I'm not aware of the cause. When creating a new mvc project the redirect properly returns a redirect along with the ReturnUrl. Where has the ReturnUrl gone?
You should be sure that you are using ReturnUrl in controller and view
Html.BeginForm("YourLogin", "Account", new {ReturnUrl = Request.QueryString["ReturnUrl"] })
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public ActionResult YourLogin(LoginInputModel model, string ReturnUrl) {
...
}
Set the form authentication since ASP.NET MVC template is using Forms authentication.
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
You can also refer the link:Return URL
Due to the way the Authorization Filters work ( [Authorize] Works as a Filter )
you would never receive the request in HomeController.
To be using [Authorize] you're probably using Identity as Authentication/Authorization Middleware.
You should define the LoginPath correctly in your web.config.
I have a mvc site and I use the ValidateAntiForgeryToken on some of my action methods. On view I have the following line of code:
#Html.AntiForgeryToken()
The problem starts when I tried to call the function using postman rest client.
I get an error:
The required anti-forgery form field "__RequestVerificationToken" is
not present.
I tried sending the cookies needed as such:
Cookie: ASP.NET_SessionId=hgpv04mkuldbex45im3gco; __RequestVerificationToken=2Of_03RzDacR4Hf-sWS3f_G0kZs1
But still getting the same error.
Anyone knows what the hell am I missing please?
It is two part
Part 1 is to add to the cshtml
#Html.AntiForgeryToken()
Part 2 is to add this to the method
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult CreateSomething(Something model)
{
if (ModelState.IsValid)
{
//your logic
}
return View(ModelName);
}
I have written some simple code to illustrate the problem.
The controller code:
public ActionResult Edit()
{
string un = User.Identity.Name;
return View();
}
[HttpPost]
public ActionResult Edit(int? dummy)
{
string un = User.Identity.Name; // <-- here it's empty string
return View();
}
The Edit.cshtml view code:
#using (Html.BeginForm())
{
#Html.ValidationSummary(true)
<input type="submit" value="Submit" />
}
The User.Identity.Name is not empty after I log in and I go to the Edit page.
But after I submit the Edit page (I make a HTTP POST) the User.Identity.Name becomes empty string and remains empty string no matter what page I access.
In Web.config I have:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
This sounds like a strange problem, and though I can't give you an answer yet, this might help.
FormsAuthentication works by setting a cookie on the browser called .ASPXAUTH. After you sign in, inspect the cookies in your browser and look for it. Also, you can inspect the Request property in the controller action methods to look for that cookie. It will be a weird-looking encoded value. You can also use something like Fiddler2 to make sure that the cookie is being sent when you post the form.
I have run into this problem before, but it had to do with cross-domain requests and machineKey mismatch problems. If both your Edit actions are in the same controller / project / URL / web.config, then perhaps something in the pipeline is removing the cookie, or reconfiguring your User principal during POST requests..? You aren't using OWIN anywhere in the project, right? And there are no global filters other than HandleErrorAttribute?
I am using CKEditor/CKFinder as wysiwyg editor on my MVC.NET site.
I have set [ValidateInput(false)] and it works when debugging it locally, but I receive the following error when I have published the site:
A potentially dangerous Request.Form value was detected from the client (message="<p>
<em>Testing</e...").
can anyone explain why the published site is different from the locally site, especially when I have set [ValidateInput(false)]?
*Update:*I am using .Net 3.5 so shouldn't [ValidateInput(false)] work out the box?
Have you tried setting the htmlEncodeOutput property?
CKEDITOR.replace('editor1', {
htmlEncodeOutput: true });
This should encode the output and you should be able to avoid setting the requestValidationMode.
Documentation for it is here: ckEditor documentation
Add this to your web.config:
<httpRuntime requestValidationMode="2.0" />
Just add an Annotation to the Post method Action as [ValidateInput(false)]
[HttpPost]
[ValidateAntiForgeryToken]
[ValidateInput(false)]
public ActionResult Detail(ModelClass m)
{ return View(); }
ValidateRequest="false"
Add this in the particular Page.
Example:
Add ValidateRequest="false" to your Page:
<%# Page Language="C#" AutoEventWireup="false" Codebehind="MyForm.aspx.cs" Inherits="Proj.MyForm" ValidateRequest="false"%>
Or add to web.config if using .NET Framework 4.0 (Visual Studio 2010)
<httpRuntime requestValidationMode="2.0" />
Use Request.Unvalidated["myTextBox"]
for example,
var text = Request.Unvalidated["myTextBox"];
where "myTextBox" is the form field you want to allow HTML to be posted from.