The required anti-forgery cookie "__RequestVerificationToken" is not present. MVC 5

Question

"The required anti-forgery cookie "__RequestVerificationToken" is not present."

When a user attempts to register, it rarely appears.

I am using Elmah tracker. The data from the client has form field "__RequestVerificationToken".

I can't find out the reason. Please review the below data.

Thanks in advance.

<error application="/LM/W3SVC/3/ROOT" host="N816A" type="System.Web.Mvc.HttpAntiForgeryException" message="The required anti-forgery cookie "__RequestVerificationToken" is not present." source="System.Web.WebPages" detail="System.Web.Mvc.HttpAntiForgeryException (0x80004005): The required anti-forgery cookie "__RequestVerificationToken" is not present.
 at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
 at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext)
 at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor)
 at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass21.<BeginInvokeAction>b__19(AsyncCallback asyncCallback, Object asyncState)" time="2015-06-20T10:35:41.3420000Z" statusCode="500">
<serverVariables>
<item name="ALL_HTTP">
<value string="HTTP_CONNECTION:keep-alive
 HTTP_CONTENT_LENGTH:328
 HTTP_CONTENT_TYPE:application/x-www-form-urlencoded
 HTTP_ACCEPT:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 HTTP_ACCEPT_ENCODING:gzip, deflate
 HTTP_ACCEPT_LANGUAGE:en-us
 HTTP_HOST:www.----.com
 HTTP_REFERER:https://www.----.com/Account/Login
 HTTP_USER_AGENT:Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F69 Safari/600.1.4
 HTTP_ORIGIN:https://www.----.com
 "/>
</item>
<item name="ALL_RAW">
<value string="Connection: keep-alive
 Content-Length: 328
 Content-Type: application/x-www-form-urlencoded
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Encoding: gzip, deflate
 Accept-Language: en-us
 Host: www.----.com
 Referer: https://www.----.com/Account/Login
 User-Agent: Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F69 Safari/600.1.4
 Origin: https://www.----.com
 "/>
</item>
<item name="APPL_MD_PATH">
<value string="/LM/W3SVC/3/ROOT"/>
</item>
<item name="APPL_PHYSICAL_PATH">
<value string="D:\WebSite\----\"/>
</item>
<item name="AUTH_TYPE">
<value string=""/>
</item>
<item name="AUTH_USER">
<value string=""/>
</item>
<item name="AUTH_PASSWORD">
<value string="*****"/>
</item>
<item name="LOGON_USER">
<value string=""/>
</item>
<item name="REMOTE_USER">
<value string=""/>
</item>
<item name="CERT_COOKIE">
<value string=""/>
</item>
<item name="CERT_FLAGS">
<value string=""/>
</item>
<item name="CERT_ISSUER">
<value string=""/>
</item>
<item name="CERT_KEYSIZE">
<value string="128"/>
</item>
<item name="CERT_SECRETKEYSIZE">
<value string="2048"/>
</item>
<item name="CERT_SERIALNUMBER">
<value string=""/>
</item>
<item name="CERT_SERVER_ISSUER">
<value string="C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SSL CA"/>
</item>
<item name="CERT_SERVER_SUBJECT">
<value string="OU=Domain Control Validated, OU="Hosted by Korea Information Certificate Authority, Inc.", OU=COMODO SSL, CN=www.----.com"/>
</item>
<item name="CERT_SUBJECT">
<value string=""/>
</item>
<item name="CONTENT_LENGTH">
<value string="328"/>
</item>
<item name="CONTENT_TYPE">
<value string="application/x-www-form-urlencoded"/>
</item>
<item name="GATEWAY_INTERFACE">
<value string="CGI/1.1"/>
</item>
<item name="HTTPS">
<value string="on"/>
</item>
<item name="HTTPS_KEYSIZE">
<value string="128"/>
</item>
<item name="HTTPS_SECRETKEYSIZE">
<value string="2048"/>
</item>
<item name="HTTPS_SERVER_ISSUER">
<value string="C=GB, S=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO SSL CA"/>
</item>
<item name="HTTPS_SERVER_SUBJECT">
<value string="OU=Domain Control Validated, OU="Hosted by Korea Information Certificate Authority, Inc.", OU=COMODO SSL, CN=www.----.com"/>
</item>
<item name="INSTANCE_ID">
<value string="3"/>
</item>
<item name="INSTANCE_META_PATH">
<value string="/LM/W3SVC/3"/>
</item>
<item name="LOCAL_ADDR">
<value string="10.57.14.250"/>
</item>
<item name="PATH_INFO">
<value string="/Account/Register"/>
</item>
<item name="PATH_TRANSLATED">
<value string="D:\WebSite\----\Account\Register"/>
</item>
<item name="QUERY_STRING">
<value string=""/>
</item>
<item name="REMOTE_ADDR">
<value string="222.152.222.107"/>
</item>
<item name="REMOTE_HOST">
<value string="222.152.222.107"/>
</item>
<item name="REMOTE_PORT">
<value string="57745"/>
</item>
<item name="REQUEST_METHOD">
<value string="POST"/>
</item>
<item name="SCRIPT_NAME">
<value string="/Account/Register"/>
</item>
<item name="SERVER_NAME">
<value string="www.----.com"/>
</item>
<item name="SERVER_PORT">
<value string="443"/>
</item>
<item name="SERVER_PORT_SECURE">
<value string="1"/>
</item>
<item name="SERVER_PROTOCOL">
<value string="HTTP/1.1"/>
</item>
<item name="SERVER_SOFTWARE">
<value string="Microsoft-IIS/7.5"/>
</item>
<item name="URL">
<value string="/Account/Register"/>
</item>
<item name="HTTP_CONNECTION">
<value string="keep-alive"/>
</item>
<item name="HTTP_CONTENT_LENGTH">
<value string="328"/>
</item>
<item name="HTTP_CONTENT_TYPE">
<value string="application/x-www-form-urlencoded"/>
</item>
<item name="HTTP_ACCEPT">
<value string="text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"/>
</item>
<item name="HTTP_ACCEPT_ENCODING">
<value string="gzip, deflate"/>
</item>
<item name="HTTP_ACCEPT_LANGUAGE">
<value string="en-us"/>
</item>
<item name="HTTP_HOST">
<value string="www.----.com"/>
</item>
<item name="HTTP_REFERER">
<value string="https://www.----.com/Account/Login"/>
</item>
<item name="HTTP_USER_AGENT">
<value string="Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F69 Safari/600.1.4"/>
</item>
<item name="HTTP_ORIGIN">
<value string="https://www.----.com"/>
</item>
</serverVariables>
<form>
<item name="__RequestVerificationToken">
<value string="NfS-jtWU5SbI8M605BxJI9soh5wRn0BSrDoxLUFbwH_rQfwWZ3R60I1h2uPosZOMnhYpcjgh5Mg5tjDDziNKGZBFTVw1"/>
</item>
<item name="UserName">
<value string="----"/>
</item>
<item name="Password">
<value string="----"/>
</item>
<item name="ConfirmPassword">
<value string="----"/>
</item>
<item name="RealName">
<value string="Earl ----"/>
</item>
<item name="Email">
<value string="[email protected]"/>
</item>
<item name="Birth">
<value string="1984-05-08"/>
</item>
<item name="PhoneNumber">
<value string="083566----"/>
</item>
<item name="AcceptPolicyAndTerm">
<value string="true"/>
<value string="false"/>
</item>
</form>
<cookies>
<item name="ASP.NET_SessionId">
<value string="1avxrf2rgcawh0nywaed03bd"/>
</item>
</cookies>
</error>

Brad C Brad C · Accepted Answer · 2015-06-22T02:26:13

AntiForgeryTokens are based on the logged in user's name among other things so it will fail and throw an error. It looks like this is what is happening to you since it is on the Login method. Basically, a token for unauthorized user is compared to an authorized user's expected token value.

You may have to remove the antiforgery token from the login page. There have been a ton of long drawn out discussions about the topic and no one can come to a consensus.

Here are a few of them:

The required anti-forgery cookie "__RequestVerificationToken" is not present. MVC 5

1 Answers