Antiforgerytoken randomly not matching?

Question

User-462241089 posted

<div style="display: none;"></div> <div style="display: none;"></div>

I have a .NET MVC Core app with form submission that is getting stuck randomly sometimes, usually when I try to submit a form, but also when I try to navigate to a new page in the app. I have only seen this happen a few times in the past several months testing it out, so it is not very common. However, I want to make sure every possible bug if fixed.

I looked in my logs and found the following error:

ERROR Microsoft.AspNetCore.Antiforgery.DefaultAntiforgery An exception was thrown while deserializing the token. Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery token could not be decrypted.

Now, I am using antiforgerytoken as well as authtoken for security purposes. I found that this might be cause by antiforgerytokens that don't match in the browser and the app, causing the application to become confused and appear frozen or disabled. I really can't have this app just stop working for the user. 

I am a little unfamiliar with these kind of problems, so if anyone can help me understand what exactly is going on here and what the best way to fix or handle the error, that would be awesome!

Answer 1

User475983607 posted

The error message indicates the token could not be deserialized.   An application restart can cause this behavior or load balanced environment.   Just Google the error.

Answer 2

User-462241089 posted

Thank you for the quick reply!

I did google it, but we didn't restart the server or the application when those errors happened. I am unfamiliar with load balancing in this case. How could it affect the token?

Again, thanks!

Answer 3

User475983607 posted

I did google it, but we didn't restart the server or the application when those errors happened.

Maybe your application restarted unexpectedly.   As you konw from your Google research, there are many reasons this error can happen.  Please explain each troubleshooting step you have performed so the community is not repeating steps you tried.  

Answer 4

User-462241089 posted

I just found out that we don't use load balancing for this application. We found that if a user gets this freeze error, they simply need to refresh and login again. We are using cookie authentication, so I think the cookie is expiring prematurely. 

Answer 5

User475983607 posted

I just found out that we don't use load balancing for this application. We found that if a user gets this freeze error, they simply need to refresh and login again. We are using cookie authentication, so I think the cookie is expiring prematurely

What is a freeze error?

An application restart can also cause issues reading the authentication cookie because the key used to decode the cookie can change.   Do you have proof that the cookie expired?  Are you logging this type of  information?  Again, what troubleshooting steps have you performed to figure out what's a happening in your application?  

Answer 6

User-462241089 posted

We did more research and we found that the user's session cookie is being unset or expiring before the submit the form or click to direct to a new page. This causes the application to just stay on the page and not allow them to redirect by clicking a new page link or submit the form.