This request has probably been tampered with. Close the browser and try again.

Tim Hillman
Member since: 2008
 

Hi,

Recently upgraded to CMS 6 R2 and seeing the following error coming through surrounding EPiServer.Web.PageExtensions.AntiForgeryValidation. This occurs when I access the EPiServer edit mode and navigate the tree sructure.

Here is my set up:

  • Single instance of EPiServer with 8 sites running
  • Load balanced across 2 web servers
  • 7 sites are of the form http://wwww.sitename.com
  • 1 site is of the form http://sitename.com

This issue only arises with the site that doesn't have www's. Also, if I go direct to EPiServer edit mode on each box it works fine. So this issue only arises when load balanced and on the non www domain. 

Any ideas?

Cheers

Tim

 

 

 

#59034 May 17, 2012 16:59
  • Johan Petersson
    Member since: 2007
     

    Hi,


    Have you set the same machine key on both machines? Please see http://aspnetresources.com/tools/machineKey

    #59037 May 17, 2012 20:16
  • Tim Hillman
    Member since: 2008
     

    Hi Johan,

     

    Confirmed that machine keys are the same on both boxes. All the other sites in the same installation work fine. I'm pretty sure it's to do with the fact this site is not served on www whereas the others are. We don't see this issue when we use an individual machine directly.

     

    Cheers

    Tim

    #59040 Edited, May 18, 2012 10:20
  • Tom Pipe
    Member since: 2010
     

    I solved this issue by correcting the domain in the httpCookies section in web.config.

    The AntiForgery system works by adding a value to a hidden field, and setting a cookie with the same value. It then compares these values on postback

    The HttpCookie is created based on the domain setting in web.config. In this instance it was set to the incorrect domain, if you are running on a subdomain, you will need to prefix the domain with a .

    eg:

    <httpCookies domain=".mydomain.com" />

        

    Hope this helps

    #59273 Edited, May 28, 2012 17:37
  • Kasper de Boer
    Member since: 2011
     

    Hi,

    Today i had the same problem, but only in Internet Explorer. In Chrome and Firefox it just worked as expected.

    We solved this by removing the underscore from the subdomain we were was running this instance of EPiServer on. Apparently Internet Explorer blocks cookies from domains with an underscore in it!

    Greets!

    Kasper

    #65139 Jan 22, 2013 11:52
  • Johan Petersson
    Member since: 2007
     

    Kasper, underscore is not a valid character in a domain. It's valid in the path and query though.

    #65143 Jan 22, 2013 12:58
  • tym.lawrence
    Member since: 2010
     

    We have been getting this issue in a secured CMS / Composer / Relate Intranet that uses a federated authentication process. Interestingly, it only happens from computers running IE behind the clients firewall and remote access. It does not happen when using a (decent) browser that connects directly via the federated authentiation process. I think we'll simply disable it, since the site is already highly secure and all users must be authenticated via the federated system.

    See thread at http://world.episerver.com/Modules/Forum/Pages/thread.aspx?id=50746

    #69111 Mar 22, 2013 3:19
  • tym.lawrence
    Member since: 2010
     

    See also thread at http://world.episerver.com/Blogs/Per-Bjurstrom/Archive/2010/4/Using-the-CSRF-page-extension-in-CMS-6/

    #69112 Mar 22, 2013 3:20