Background
I have a relatively new ASP.NET Core 2 site. It's running on just one server, and I only restart the site once every few days when I upload an update. About once a day, a user's request fails due to rejection by the anti-forgery system. These are POST requests,
and there's nothing particularly special about them. I'm including the anti-forgery value in the POST request, and 99% of the time, they work. The stdout log says, "Antiforgery token validation failed. The antiforgery cookie token and request token do not
match."
Errors
I've included the relevant portions of the stdout log below.
info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1]Request starting HTTP/1.1 POST [domain redacted] application/x-www-form-urlencoded 234info: Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ValidateAntiforgeryTokenAuthorizationFilter[1]Antiforgery token validation failed. The antiforgery cookie token and request token do not match.Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The antiforgery cookie token and request token do not match.at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.ValidateTokens(HttpContext httpContext, AntiforgeryTokenSet antiforgeryTokenSet)at Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery.<ValidateRequestAsync>d__9.MoveNext()--- End of stack trace from previous location where exception was thrown ---at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)at Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.ValidateAntiforgeryTokenAuthorizationFilter.<OnAuthorizationAsync>d__3.MoveNext()info: Microsoft.AspNetCore.Mvc.RazorPages.Internal.PageActionInvoker[3]Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.ViewFeatures.Internal.AutoValidateAntiforgeryTokenAuthorizationFilter'.info: Microsoft.AspNetCore.Mvc.StatusCodeResult[1]Executing HttpStatusCodeResult, setting HTTP status code 400info: Microsoft.AspNetCore.Mvc.RazorPages.Internal.PageActionInvoker[2]Executed action /Index in 2.6224mswarn: Microsoft.AspNetCore.Antiforgery.Internal.DefaultAntiforgery[1]Antiforgery validation failed with message 'The antiforgery cookie token and request token do not match.'.
For requests that result in the above stdout output, IAntiforgery.IsRequestValidAsync agrees by returning false. Here's a reduced example of a failed POST request and the associated cookie.
POST: __RequestVerificationToken=CfDJ8MaM8-ULaotKhrvVVKXdGgUxork4jTkt343ArrABhTtbRVKMxPm7suOo6490GWo8QoQmFNt8iL1XjajwYezj_y3exGfXYM8pXgNPjkTuPgG-Hlzdw7Kg_hu_yiPkQo2KKjBZB5NOIWfPqBecVMEsKOQ
Cookie: .AspNetCore.Antiforgery.ClRyCRmWApY:CfDJ8MaM8-ULaotKhrvVVKXdGgVKKYfnM3HQVB1OgVz-ty6QaZDh-PDHS5pj7D-dIZRDx85uTCXjdTvV8FoAKLlti4poxLBrzze7dkGCSbWFgWUbr-UDxSyHFgOw2dpV0gvA0M7R39ENzzJiboDv11aUQPM
The error message said, "The antiforgery cookie token and request token do not match." The POST and cookie strings are not exact matches, but in my experience, they never are. They look very similar to every other anti-forgery POST and cookie pair I normally see, so I can't deduce what's going wrong here.
ASP.NET Core 2 on GitHub
I decided to look at the source code of ASP.NET Core 2. I found this file, especially line 145:
https://github.com/aspnet/Antiforgery/blob/dev/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgeryTokenGenerator.cs
That line gets the message "The antiforgery cookie token and request token do not match." from this file at line 134:
https://github.com/aspnet/Antiforgery/blob/dev/src/Microsoft.AspNetCore.Antiforgery/Resources.resx
So I think that's where the message is originating, but I'm still left wondering why this is happening.
Question
Would someone please help me figure out why these anti-forgery tokens aren't validating? Is it possible the user's Web browser is mangling the cookie or POST data? I've noticed it happening in Google Chrome, so maybe a plugin is doing it. Does anyone have experience
in this area or any suggestions? Thank you.