HttpAntiForgeryException: Your anti-forgery token is not correct


Forms 4.6.1 and 4.8

maybe a chain of events but suddenly i can not post data on my site with Epi.Forms. 


[HttpAntiForgeryException (0x80004005): Your anti-forgery token is not correct!]
   EPiServer.Forms.Internal.Security.AntiForgeryService.Validate(HttpContextBase httpContext) +606
   EPiServer.Forms.Controllers.DataSubmitController.Submit() +131
   lambda_method(Closure , ControllerBase , Object[] ) +90
   System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +1180
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +1366
   System.Web.Mvc.<>c__DisplayClass15.b__12() +80
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) +452
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) +452
   System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +908
   System.Web.Mvc.Controller.ExecuteCore() +128
   System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +1198
   EPiServer.Forms.Controllers.FormsMvcHandler.ProcessController(IController controller) +92
   EPiServer.Forms.Controllers.FormsMvcHandler.BeginProcessRequest(HttpContextBase httpContext, AsyncCallback callback, Object state) +100
   System.Web.Mvc.MvcHandler.BeginProcessRequest(HttpContext httpContext, AsyncCallback callback, Object state) +97
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +1091
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +143

To solve it quick and dirty i did put 

 <%= html.antiforgerytoken() %> into FormContainerBlock.ascx

Why? What happend? I can't remember making a release that day, nor changing any config on server. How is epi.forms handling AntiForgeryToken?

Nov 07, 2017 15:29


When implement the anti-forgery feature, we modifed the FormContainerBlock.ascx to add this line:

<%= Html.GenerateAntiForgeryToken(Model) %>

Could you please check that file has been upgrade in your site? Or you are customizing the template so that line is not added? If it is not the reason, could you describe steps to reproduce the problem?

Edited, Nov 08, 2017 4:45

You are totally right, someway on the road <%= Html.GenerateAntiForgeryToken(Model) %> is implemented and our custom template did miss that, I also missed it yesterday when looking for it. 


Nov 08, 2017 8:10

Sorry for hijacking this thread. Since it is marked as solved, I hope you can elaborate on the solution.

@Dac - I am using Episerver Forms, and I am now getting this error too. However, I cannot see any FormContainerBlock.ascx file on my site. What file do I need to update to continue to use the latest version of Episerver Forms, and what change exactly do I need to make?

Thanks in advance

Nov 30, 2017 11:49

We have the same error but in our case the helper is present. We are missing the cookie somehow in production but not in test or development. Does anyone have a solution or sugesiont what it could be? We also have custom views but we did not have a custom view for the FormContainerBlock.ascx.

Dec 13, 2017 13:00

If you are using different ports only for the different sites you can get funny results with this btw. Either create a real sub domain for each site so cookies don't collide or make sure you clear the browser cache etc when switching site. 

Dec 13, 2017 14:01

I'm still getting error:

Your anti-forgery token is not correct!


With or without <%= Html.GenerateAntiForgeryToken(Model) %> in my FormContainerBlock.ascx. Episever forms

Error happends after HttpPost on my website and then when contentarea tries to render my form.

Jan 31, 2018 10:56

I'm not fully understanding your case. Could you send us an support case, we can look into it for investigation.

Jan 31, 2018 11:00

This seems flawed or bugged since epi 11. Cannot use previously created or newly created epi forms no matter how simple they are (textfield + submit button). Keep getting "Your anti-forgery token is not correct". Iv tried to change ports for the site and recreate forms and reinstall latest epi-forms nuget.

[HttpAntiForgeryException (0x80004005): Your anti-forgery token is not correct!]
   EPiServer.Forms.Internal.Security.AntiForgeryService.Validate(HttpContextBase httpContext) +475
   EPiServer.Forms.Controllers.FormContainerBlockController.Index(FormContainerBlock currentBlock) +337
   lambda_method(Closure , ControllerBase , Object[] ) +106
   System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +14
   System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +157
   System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +27
   System.Web.Mvc.Async.AsyncControllerActionInvoker.<BeginInvokeSynchronousActionMethod>b__39(IAsyncResult asyncResult, ActionInvocation innerInvokeState) +22
   System.Web.Mvc.Async.WrappedAsyncResult`2.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) +32
   System.Web.Mvc.Async.AsyncInvocationWithFilters.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3d() +50
   System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +228
   System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +228
   System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +228
   System.Web.Mvc.Async.<>c__DisplayClass46.<InvokeActionMethodFilterAsynchronouslyRecursive>b__3f() +228
   System.Web.Mvc.Async.<>c__DisplayClass33.<BeginInvokeActionMethodWithFilters>b__32(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) +34
   System.Web.Mvc.Async.<>c__DisplayClass2b.<BeginInvokeAction>b__1c() +26
   System.Web.Mvc.Async.<>c__DisplayClass21.<BeginInvokeAction>b__1e(IAsyncResult asyncResult) +100
   System.Web.Mvc.Async.WrappedAsyncResult`1.CallEndDelegate(IAsyncResult asyncResult) +10
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeAction(IAsyncResult asyncResult) +27
   System.Web.Mvc.Controller.<BeginExecuteCore>b__1d(IAsyncResult asyncResult, ExecuteCoreState innerState) +13
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +36
   System.Web.Mvc.Controller.<BeginExecute>b__15(IAsyncResult asyncResult, Controller controller) +12
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +22
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +26
   System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
   System.Web.Mvc.MvcHandler.<BeginProcessRequest>b__5(IAsyncResult asyncResult, ProcessRequestState innerState) +21
   System.Web.Mvc.Async.WrappedAsyncVoid`1.CallEndDelegate(IAsyncResult asyncResult) +29
   System.Web.Mvc.Async.WrappedAsyncResultBase`1.End() +49
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +28
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
   System.Web.Mvc.<>c__DisplayClassa.<EndProcessRequest>b__9() +22
   System.Web.Mvc.<>c__DisplayClass4.<Wrap>b__3() +10
   System.Web.Mvc.ServerExecuteHttpHandlerWrapper.Wrap(Func`1 func) +53
   System.Web.Mvc.ServerExecuteHttpHandlerWrapper.Wrap(Action action) +65
   System.Web.Mvc.ServerExecuteHttpHandlerAsyncWrapper.EndProcessRequest(IAsyncResult result) +70
   System.Web.HttpServerUtility.ExecuteInternal(IHttpHandler handler, TextWriter writer, Boolean preserveForm, Boolean setPreviousPage, VirtualPath path, VirtualPath filePath, String physPath, Exception error, String queryStringOverride) +1436

Feb 02, 2018 10:11

Could you try to create a fresh Alloy MVC site and see if the error still occur? Do you custom the FormContainerBlock.ascx?

Feb 02, 2018 10:17

I can try, but no i have not done any customization of it. All iv done is to update all epi components from version 10 (which was the latest version when we installed the site last year) to version 11, and after that the forms stopped working =(

Feb 02, 2018 10:19

Our QA have tested with the case upgrade. What the result if you uninstall and install again Forms add-on?

Feb 02, 2018 10:25

No difference after reinstall of the Forms nugets. Il try on a fresh project now.

Feb 02, 2018 10:53

Well Alloy does not seem to be updated for EPI CMS 11 :( , il try a blank project instead.

Feb 02, 2018 12:11

This is not working... for some reason it works on a completly new empty project (Alloy needs to be updated btw), but does not work on our current solution, time to roll back...
This was a version 10 CMS solution with no customization made to how epi forms works at all.

Feb 05, 2018 7:19

I had the same problem. Added <%= Html.GenerateAntiForgeryToken(Model) %> inside the submit <form> and now it works again.

Feb 15, 2018 15:06

We had the same issue on our site after upgrade to CMS 11 and Forms 4.9.1. No custom Forms. Worked perfectly in development, but not in production.

Turns out Forms are now using cookies to store the antiForgeryToken. And the site didn't allow that cookie, therefor it failed with exception 

Failed to validate the anti-forgery token
System.Web.Mvc.HttpAntiForgeryException (0x80004005): 
The required anti-forgery cookie "__RequestVerificationToken" is not present.

When allowing the cookie it works again.

Feb 19, 2018 9:02

Had the same error, but in my case it was caused by the page controller being decorated with the [ContentOutputCache] attribute. Which explains why submit worked when logged into episerver. Removed the attribute and works like a charm again.

Mar 05, 2018 23:53

How did you manage to allow that cookie? Can you please explain?

May 02, 2018 15:17

You can replace default implement of IAntiForgeryService then bypass the validation. Does that help?

May 02, 2018 17:04
This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.