Error occurring - System.InvalidOperationException: Validation of Anti-XSRF token failed

Question

We are building an application using ASP.Net 4.5 and Visual Studio 2012, the master page included Anti-XSRF code. That code was there when we started working with the application in VS, we wanted to leave it as it seemed helpful to keep. However we randomly get an error:

System.InvalidOperationException: Validation of Anti-XSRF token failed.

This happens on a page which has no postback and also on a login page which does have postback, but it's completed random. One person recently mentioned they had logged in a as test user, left the machine inactive for sometime, when they returned they tried to access a secure page, were asked to login, did login as another user, then received this error. otherwise other users says it happens when they just hit homepage, which again has no postback.

I was not able to find any solution for this looking around, anyone else having this problem?

Answer 1

The current username is embedded in __VIEWSTATE when the Page is rendered to the browser. When a postback occurs, the anti-XSRF logic checks that the current username matches what is embedded in the submitted __VIEWSTATE. So it is expected that changing the logged-in user in the middle of a workflow (with postbacks) will result in errors. This error should not occur if the user is simply navigating around the site.

If you check the server logs, you'll see that the users were indeed performing postbacks to the pages where failures occurred. The XSRF logic is already conditioned on an "if (IsPostBack)" check. You can verify this for yourself by looking at the Site.master codebehind file.