A required anti-forgery token was not supplied or was invalid -- Safari only

5
votes

I have an asp.net mvc 2 project with the typical xss protection

<%=Html.AntiForgeryToken() %> inside each form and [ValidateAntiForgeryToken] on each Post action.

This works as expected in Chrome, Firefox and IE.

But I get the following error in Safari (v 5.1.7).

System.Web.Mvc.HttpAntiForgeryException: A required anti-forgery token was not supplied or was invalid.

I see the reason for the exception is the RequestValidationToken cookie that is created has an incorrect expiration date of Mon, 01 Jan 2001, while in the other browsers is is correctly set to Session.

How can I make Safari stop assigning a bogus expiration date to my Anti-Forgery cookie?

1
asp.net-mvccookiessafari
I also experience this problem but cannot find anything about this. Do you already have a solution?Wessel Kranenborg
No I haven't found a solution. Please let me know if you come up with something!Forty-Two

1 Answers

1
votes

I resolved this problem by removing 'negotiate' from the list of authentication providers in IIS.

Similar to this issue with safari:

Windows Authentication issue with Safari 5.x in Windows 7