I have a public MVC 5 website using an anti-fake token. Every day, a large number of errors are recorded in the form "Token-marker of anti-fake and marker of the form field does not match", and a smaller number in the form "Required anti-fake cookie" __RequestVerificationToken is not present "..
The problem does not reproduce, it occurs for different people on different pages at different times. Closing the browser fixes the problem - sometimes just using the back button and trying again solves the problem.
Since the website works for the vast majority of users, I can exclude the absence of ValidateAntiForgeryToken attributes in controllers, I can also exclude missing or duplicate @ Html.AntiForgeryToken () code in views.
The website runs on the same server, so I can exclude various machine keys in the web.config file (in any case, I tried to launch the website with this setting and without it).
The application pool restarts every night, and the server has a backup resource, so I can exclude restarting and cancellation of the application pool sessions (especially since this is not recorded in the event log or elsewhere).
I got into the problem very rarely - I definitely have cookies, so I can exclude that cookies are disabled. I can also exclude that javascript is disabled, as the user can only move to the site without JS - and errors appear on pages outside of this point.
I disabled all caching, installed nocache, nostore, etc. This apparently reduced the occurrence of the problem, but it still persists (I had to turn on caching again for a number of other reasons).
What other options can be considered?
I am so upset by this, I am considering disabling fake protection and contributing to a global weakening of security.
cookies asp.net-mvc antiforgerytoken
user3728961
source share