0

App was developed in Web API. We are using AntiForgery Token validation for all the POST calls in xyz.com. Registered xyz.com users get email alerts for the contents they are signed up for. Users click item from email to view the content details. On click of item first click event is being saved in SilverPop and silverpop redirects to actual content in xyz.com. Details page is being loaded with out any issues after authenticating the user based on few query string parameters. Issue is when user make a post call(to saving for later, book mark etc) App is throwing Antiforgery token mismatch error. Sorry for bad English and long question. Strange part of this issue is We are unable to replicate this error and its not occurring consistently. We have two server and 1 load balance hosted in AWS not using sticky session enabled. Using Forms cookie authentication. finally, this issue kept occurring though we run with 1 server. Thanks for reading and appreciate if any one could help.

*User must be Authenticated to validate CSRF token ? This xyz.com makes few api get and post calls.

Nash
  • 525
  • 3
  • 6
  • 24
  • Possible duplicate of [Will ASP.Net MVC's AntiForgeryToken Method work with Load Balancers?](http://stackoverflow.com/questions/3419578/will-asp-net-mvcs-antiforgerytoken-method-work-with-load-balancers) – SilverlightFox Jan 15 '16 at 10:14
  • We tested with one Node(server) and no load balancer, but this didn't solve the issue – Nash Jan 20 '16 at 22:21
  • Do the links in the email contain anti forgery tokens? – SilverlightFox Jan 21 '16 at 08:44
  • No, Links in url contains encrypted information related to User. On clicking email and reach xyz.com app reads data from URL and gives authentication ticket with very limited permissions. – Nash Jan 21 '16 at 15:14
  • Sounds like your machineKey is changing from when the email was sent to the server's state now. Set a static `` as per link, send a new email using this key and then test without load balancer against the same server. – SilverlightFox Jan 21 '16 at 15:17
  • we generated machine key and added in web.config file. This issue occurred in one server scenario also – Nash Jan 21 '16 at 15:25

0 Answers0