Null reference in IsAntiForgeryProtectionEnabled

Topics: Troubleshooting, Writing modules
May 30, 2011 at 8:08 PM


I have a module that creates a page with a form in it. This form uses:


It was all working fine till I made this page my home page. When the form submits I get:

Exception Details: System.NullReferenceException: Object reference not set to an instance of an object.

Source Error:

Line 1:  @{
Line 2:      RouteValueDictionary routeValues = Model.RouteValues;
Line 3:      Html.RenderAction(routeValues["action"] as string, routeValues["controller"] as string, routeValues);
Line 4:  }

Source File: c:\Users\Richard\..\Orchard\Core\Routable\Views\Routable.HomePage.cshtml    Line: 3

When running it in debug I tracked down the null reference exception to Orchard.Mvc.AntiForgery.IsAntiForgeryProtectionEnabled.

In the code below context.RouteData.Values["area"] is null so the ToString() opperation creates a null reference exception.


private bool IsAntiForgeryProtectionEnabled(ControllerContext context) {
    string currentModule = context.RouteData.Values["area"].ToString();
    if (!String.IsNullOrEmpty(currentModule)) {


Is this a bug in anti forgery protection, or is there something I can do to fix this in my module?



May 31, 2011 at 3:41 PM

Hey Richard,

What's this form for? Are authenticated users going to be submitting the form data or just any anonymous visitor to the site? If it's the latter then the quick fix would be to just use Html.BeginForm since you don't really need to be so strict about ensuring the specific user is submitting the form on the site.


May 31, 2011 at 4:00 PM
Edited May 31, 2011 at 4:09 PM

Hey Nathan,

It's for anonymous visitors but I tried Html.BeginForm() and got:

A required anti-forgery token was not supplied or was invalid.

I couldn't figure out how to disable it in module.txt

I tried:

  • AntiForgery: disabled
  • AntiForgery: off
  • removing the AntiForgery line from Module.txt

Neither worked but I also wan't sure if I needed to restart IIS for it to notice module.txt changes.

May 31, 2011 at 4:25 PM

Are you trying to submit it when you're authenticated? When anti-forgery verification is enabled it'll check for the requisite hidden form field and cookie on any authenticated form POST. When you're not signed in it shouldn't be verifying.

I don't remember the config setting off hand. I'll look it up.

May 31, 2011 at 4:30 PM

Looks like setting it to anything other than "enabled" will disable it. You could also remove that line from Module.txt. Did you try to restart IIS or the app pool to try to get your change to take affect, BTW?

May 31, 2011 at 4:33 PM

I've just logged out and tried it and it worked

So, the error only happens when someone is logged in. Phew!!!

May 31, 2011 at 4:35 PM

Cool. Glad it's working as it's supposed to...well other than the but with the area being null. Would you mind adding an issue for that?

May 31, 2011 at 4:50 PM
Edited May 31, 2011 at 4:57 PM

Thanks loads for your help.

I've added an issue for this.