Anti forgery problems

Topics: Troubleshooting
Feb 1, 2012 at 10:15 AM

Hi Orchard Gurus, 

I'm having a bit of an issue with this exception: 'A required anti-forgery token was not supplied or was invalid'

Stack trace for info:

   System.Web.Helpers.AntiForgeryWorker.Validate(HttpContextBase context, String salt) +121143
   System.Web.Helpers.AntiForgery.Validate(HttpContextBase httpContext, String salt) +45
   System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext) +68
   Orchard.Mvc.AntiForgery.AntiForgeryAuthorizationFilter.OnAuthorization(AuthorizationContext filterContext) in D:\InformationServices\Web\Orchard\Pod\Orchard.Source.1.2.41\src\Orchard\Mvc\AntiForgery\AntiForgeryAuthorizationFilter.cs:37
   System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor) +102
   System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +343
   System.Web.Mvc.Controller.ExecuteCore() +116
   System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +97
   System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +10
   System.Web.Mvc.<>c__DisplayClassb.<BeginProcessRequest>b__5() +37
   System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +21
   System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +12
   System.Web.Mvc.Async.WrappedAsyncResult`1.End() +62
   System.Web.Mvc.<>c__DisplayClasse.<EndProcessRequest>b__d() +50
   System.Web.Mvc.SecurityUtil.<GetCallInAppTrustThunk>b__0(Action f) +7
   System.Web.Mvc.SecurityUtil.ProcessInApplicationTrust(Action action) +22
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +60
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
   Orchard.Mvc.Routes.HttpAsyncHandler.EndProcessRequest(IAsyncResult result) in D:\InformationServices\Web\Orchard\Pod\Orchard.Source.1.2.41\src\Orchard\Mvc\Routes\ShellRoute.cs:148
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8969117
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +184

Steps to reproduce:

  1. Open any browser which supports tabbing, and open two tabs. 
  2. In both tabs, navigate to 'http://your-site/users/account/logon'
  3. In the first tab, login as a valid user, and wait for the site to finish loading.
  4. On the second site, try to log in again.

I know this isn't a normal set of circumstances, but I'm finding some of my users are getting themselves into a similar sort of state, maybe by leaving one of thier tabs open whilst browsing on another, then coming back to the one they left and seeing they're not logged in, so trying to login.

I didn't raise this on the issue tracker as I'm not sure whether it's really a bug, but any ideas of how to get around it would be great. I thought about overriding the 'AntiForgeryAuthorizationFilter' class, but I'm not really sure what I'd do in there to be honest...

Thanks in advance for your thoughts!

Charlie

 

Feb 1, 2012 at 5:12 PM

I find this a common enough scenario, I know I've done it myself on other websites. I think it's worth raising a bug (I've tested and can reproduce it easily).

In general it'd be good if a friendlier screen was displayed for anti forgery; I'm sure there are other ways it can get inadvertently triggered (e.g. timeout?) and a YSOD is never good to throw in a user's face! (Especially "anti forgery" which might sound kind of serious to a non-technical user... Sort of reminds me of something that happened years ago when I worked in a computer shop. We'd sold a new computer to a family a few days prior and suddenly one of them phoned up sounding genuinely scared, because their computer had told them they'd performed an "illegal operation" and they were worried the police might be on their way...)

Coordinator
Feb 1, 2012 at 5:45 PM

Yes, please file a bug. Thanks for reporting it.

Feb 2, 2012 at 7:47 AM

Thanks for responding guys, I have opened issue #18404 on the issue tracker. Cheers