1

I have an MVC 4 web application with ELMAH running in the background to help me keep track of any errors occurring on the website. I have noticed a good few errors happening stating the following

System.Web.Mvc.HttpAntiForgeryException: The required anti-forgery form field "__RequestVerificationToken" is not present.

The majority of these errors seem to be happening when a user attempts to log into my website. To be honest, I just used the out of the box MVC 4 Visual Studio login View for this, ie, my View has the following

@using (Html.BeginForm(new { ReturnUrl = ViewBag.ReturnUrl }))
{
    @Html.AntiForgeryToken()
    @Html.ValidationSummary(true)

//textboxes for username and password 
//login button

}

And then my Account Controller with Login Action

 [HttpPost]
 [AllowAnonymous]
 [ValidateAntiForgeryToken]
 public ActionResult Login(LoginModel model, string returnUrl)
 {
      if (ModelState.IsValid && _accountService.Logon(model.Email, model.Password,false))
      {

      }

 }

Do you think anything looks wrong with this code? I am not sure how to get rid of these errors.

Any feedback or advice would be appreciated.

Thanks.

tereško
  • 58,060
  • 25
  • 98
  • 150
tcode
  • 5,055
  • 19
  • 65
  • 124
  • 2
    I hope this will help you http://stackoverflow.com/questions/7766975/requestverificationtoken-does-not-match – Jaimin Aug 22 '13 at 09:46

1 Answers1

0

I've had a user report the same problem and we've identified that it happens when they click the login button twice.

I assume the problem is that logging in changes the token, but when the form is resubmitted it has the old token. One solution would be to disable to login button so the user can only submit the form once.

That's not perfect though, as the login may time out or something and they won't be able to try again without reloading the page, so I'm currently looking for better solutions.

thelem
  • 2,642
  • 1
  • 24
  • 34