We've copied a complete setup of an R2 site, and are running the two sites on the same server. Pretty much only changed to a separate database, another siteId, another License.config and on another url. We're having lots of trouble logging into the new site, and we're seeing some AntiForgery validation errors in the logfiles:
2011-05-11 15:08:57,561|The required cookie __epiAntiForgeryToken_ZG9scGhpbmZkYi5la2xp has not been set in the request, either there is an invalid posting or the request has been forged[Client IP: x.x.x.x, Referer: http://x.x.x/xxLogin.aspx?ReturnUrl=/helhetslosningar/, Url: http://x.x.x.x/xxLogin.aspx?ReturnUrl=/, User: ]2011-05-11 15:08:57,561|1.2.5 Unhandled exception in ASP.NETSystem.Web.HttpUnhandledException (0x80004005): Exception of type 'System.Web.HttpUnhandledException' was thrown. ---> EPiServer.Core.EPiServerException: This request has probably been tampered with. Close the browser and try again. at EPiServer.Web.PageExtensions.AntiForgeryValidation.ThrowForgeryException(String logMessage, String param) at EPiServer.Web.PageExtensions.AntiForgeryValidation.PreInit(Object sender, EventArgs e)
Any ideas why this new antiforgery stuff fails? How is the antiforgery token secret generated?
Did you figure out the reason ?
The error message indicates that the cookie is missing on postback, it should automatically be generated on a GET request.
No I didn't. I had to disable the antiforgery plugin.
I could see that the cookie was missing sometimes, very strange. Haven't had time to investigate further.
I'm having this exact same problem. Seems to occure during Composer editing. For some reason the cookie seems to disappear, 'cause the site prompts for a new login, and then that exact same error occurs.
Any solution? I am getting this error in the log as well. Its CMS 6 R2 no Composer. Load balancing setup?
Anyone? Having the same issue on a newly uppgraded site, CMS5 R2 to CMS6 R2 (no composer, enterprise setup).
You could try setting requestValidation to "2.0" if you're running the site on ASP.NET 4?
Should look something like this in web.config:
<httpRuntime requestValidationMode="2.0" />
Not sure if that's what's causing it, but worth a shot. ;)
Site are running ASP.NET 3.5, disable AntiForgeryValidation?
When running more than one site agains the same database then the same machine key has to be used on both sites.
This is what solved it for me
We have been getting this issue in a secured CMS / Composer / Relate Intranet that uses a federated authentication process. Interestingly, it only happens from computers behind the clients firewall and remote access. It does not happen when using a browser that connects directly via the federated authentiation process. I think we'll simply disable it, since the site is already highly secure and all users must be authenticated via the federated system.