I'm using the [ValidateAntiForgeryToken]
attribute on my [HttpPost]
actions. Out of curiosity, I went to a page with a form, deleted the __RequestVerificationToken cookie, and submitted the form.
Result:
System.Web.Mvc.HttpAntiForgeryException: The required anti-forgery cookie "__RequestVerificationToken" is not present.
In the same spirit, I altered the value of the cookie and submitted the form.
Result:
System.Web.Mvc.HttpAntiForgeryException: The anti-forgery token could not be decrypted. If this application is hosted...
It seems to me that, instead of exploding, the application should simply check the SessionID and, if valid, set a new token and redisplay the view.
I wonder, then, if there is a reason that MVC throws an exception instead of doing what I've described. I am planning to handle the exception and do as I've described above but before I do I would like to know if there is a good reason—perhaps related to security?—that this scenario isn't more gracefully handled by default.