We are working on styling Epi Forms, and therefore we are keeping the form in the browser for a long time - say 1 hour. If we then reload the page, we get an error message saying something about the antiforgerytoken not being valid. If we load the same page in a new tab, everything is ok. Is this a bug in epi forms, or is there something we can do to fix it?
I think after an hour the cookie that is used to validate has expired. It's not an Episerver specific thing methinks. Have a look at this article
That's a protection vs cross site request forgery. Basically what happens is that you are probably re-posting the form but the anti-forgery token validation then says that the token doesn't match the user it was created for (session timeout). So I would say it's working as intended.
To avoid it you can redirect a logged out user to start page or reload the page since this will restart the session and give you a new valid cookie for antiforgery token.
It sounds strange that if a user starts filling out a form, takes a break for an hour, and comes back, the page fails?
Daniel: you say we can reload the page, but when we reload the page, the error happens.
You should be able to reload using a GET? (similar to open same address in new tab). If you reload using a POST (resending form data) it will trigger the validation of antiforgery token. Haven't tested it though but that is as it should work at least. The validation is to protect logged in users. If it didn't exist I could create posts as another logged in users with a little effort and a fake site.
For sites without login I guess it should be possible to remove the antiforgery check. Don't see why it's needed then. Haven't tested if that is possible with Episerver Forms out of the box though
As it is a protection against XSRF attacks, also for anonymous users, I would not advice to remove it. You could catch the exception and handle it in a way that's user friendly, e.g. showing a message that explains that they need to fill in the form again due to inactivity