AntiForgery

November Happy Hour will be moved to Thursday December 5th.

AI OnAI Off

Home / Forums / Developers (Main Products) Forum / Developer to developer /

AntiForgery

Jonas Peterson

Vote:

Trying to set up an EPiServer 7 site with MVC. And everything has gone alright until i tried to create a Group in the Admin interface.

After clicking on the "Add"-button I receive:

Server Error in '/' Application.
--------------------------------------------------------------------------------

This request has probably been tampered with. Close the browser and try again. 
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. 

Exception Details: System.InvalidOperationException: This request has probably been tampered with. Close the browser and try again.

Source Error: 

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.  

Stack Trace: 


[InvalidOperationException: This request has probably been tampered with. Close the browser and try again.]
   EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException() +395
   System.EventHandler.Invoke(Object sender, EventArgs e) +0
   System.Web.UI.Page.PerformPreInit() +49
   System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1844
 


--------------------------------------------------------------------------------
Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.17929

This is on an develper machine. Where have I gone wrong?

#63462

Nov 20, 2012 14:21

Johan Petersson

Vote:

How have you set up the project? There seems to be a problem with the anti forgery if you don't run your site on a FQDN.

A typical case is that you run your site on http://mysite or just http://localhost. If you add a port number it seems to work. Can have something to with old cookies to0, try to clear em'.

#63465

Edited, Nov 20, 2012 15:10

Håkan Lindqvist

Vote:

What causes that exception to be thrown is if the token put in the form and the token put in a cookie don't "match".

If we assume that neither the form data nor the cookies have been intentionally changed/removed it seems most likely that it's the cookie that has been overwritten or something along those lines.

It's quite possibly related to what Johan was hinting at considering that cookies (in general) are scoped by domain (no port) and path.

#63468

Nov 20, 2012 15:38

Jonas Peterson

Vote:

Thanks for your replys!

I started with host "episerver7mvc" (port 80). Changed it to "episerver7mvc" (port 17033) and that did not work either. Tried "www.episerver7mvc.se" (port 17033) and that don't work either.

Can it be that I first created an empty EPiServer 7 site and then created an ASP.NET MVC 4 web application. Copied over the web application to the EPiServer site (without Global.* and Web.* files). Is there any other way to install that don't cause this problem?

I have emptied cookies from my browser as well, with no luck...

#63470

Nov 20, 2012 15:48

Magnus Rahl

Vote:

Not sure it matters for this, but does the siteUrl setting match your IIS host settings?

#63477

Nov 20, 2012 15:57

Jonas Peterson

Vote:

Yes they do.

Checked the cookies created when going into the admin-interface and there are none except ASP.NET_SessionId. Shouldn't there be a few others, like authtoken?

Can this be related to that I have uncommented the <authorization> element in web.config in order to get into EPiServer admin and create groups and roles for the first time?

#63478

Edited, Nov 20, 2012 16:01

Jonas Peterson

Vote:

It seems that when you don't use the login form the necessary cookies are not set. I created the Groups by using the "ASP.NET Configuration" to create the WebAdmins group and an admin user. Then I loged in the usual way and now I can create aditional groups in the admin interface.

#63507

Nov 21, 2012 10:03

Mahdi Shahbazi

Vote:

If you use http and you have following line in your config

<httpCookies httpOnlyCookies="true" requireSSL="true"/>

just remove requireSSL attribute.

#175207

Feb 15, 2017 0:35

This topic was created over six months ago and has been resolved. If you have a similar question, please create a new topic and refer to this one.