Does AntiForgeryToken state depend on session state?

Question

Does AntiForgeryToken state depend on session state?

I do not use a session, so I deleted it along with all the HTTP modules that I do not need.

I sometimes get this error: System.Web.Mvc.HttpAntiForgeryException: The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster. System.Web.Mvc.HttpAntiForgeryException: The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

Or this: System.Web.Mvc.HttpAntiForgeryException: The provided anti-forgery token was meant for a different claims-based user than the current user.

When I turn on the session, it works.

So the question is: does the content of csrf depend on the state of the session?

+5

.net asp.net asp.net-mvc csrf

h bob May 05 '15 at 6:49 am

source share

1 answer

lowleveldesign · Accepted Answer · 2015-05-05T07:12:46+0000

An ASP.NET session is not required for anti-fake tokens to work. The token is stored in a hidden form field and in a cookie, separate from the cookie session (here you can find here ). Also, if the anti-fake token is invalid, an exception is thrown, so it doesn't seem like the problem you are related to is related to anti-fake tokens. Perhaps record a Fiddler session, attach it to a new SO question, and we can lead you better.

Does AntiForgeryToken state depend on session state?

More articles: