I am using Membership.create user function, then the following error is occurring,
The required anti-forgery form field "__RequestVerificationToken" is not present
How can I fix this?
This question is related to
asp.net-mvc-4
asp.net-membership
The answer is
If anyone experiences the error for the same reason why I experience it, here's my solution:
if you had Html.AntiForgeryToken();
change it to @Html.AntiForgeryToken()
Like this:
The Controller
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult MethodName(FormCollection formCollection)
{
...
Code Block
...
}
The View:
@using(Html.BeginForm())
{
@Html.AntiForgeryToken()
<input name="..." type="text" />
// rest
}
In my case, I had this in my web.config:
<httpCookies requireSSL="true" />
But my project was set to not use SSL. Commenting out that line or setting up the project to always use SSL solved it.
Another possibility for those of us uploading files as part of the request. If the content length exceeds <httpRuntime maxRequestLength="size in kilo bytes" /> and you're using request verification tokens, the browser displays the 'The required anti-forgery form field "__RequestVerificationToken" is not present' message instead of the request length exceeded message.
Setting maxRequestLength to a value large enough to cater for the request cures the immediate issue - though I'll admit it's not a proper solution (we want the user to know the true problem of file size, not that of request verification tokens missing).
Make sure in your controller that you have your http attribute like:
[HttpPost]
also add the attribute in the controller:
[ValidateAntiForgeryToken]
In your form on your view you have to write:
@Html.AntiForgeryToken();
I had Html.AntiForgeryToken(); without the @ sign while it was in a code block, it didn't give an error in Razor but did at runtime. Make sure you look at the @ sign of @Html.Ant.. if it is missing or not
In my case I was getting this error while making an AJAX post, it turned out to be that the __RequestVerificationToken value wasn't being passed across in the call. I had to manually find the value of this field and set this as a property on the data object that's sent to the endpoint.
i.e.
data.__RequestVerificationToken = $('input[name="__RequestVerificationToken"]').val();
Example
HTML
<form id="myForm">
@Html.AntiForgeryToken()
<!-- other input fields -->
<input type="submit" class="submitButton" value="Submit" />
</form>
Javascript
$(document).on('click', '#myForm .submitButton', function () {
var myData = { ... };
myData.__RequestVerificationToken = $('#myForm input[name="__RequestVerificationToken"]').val();
$.ajax({
type: 'POST',
url: myUrl,
data: myData,
contentType: 'application/x-www-form-urlencoded; charset=utf-8',
dataType: 'json',
success: function (response) {
alert('Form submitted');
},
error: function (e) {
console.error('Error submitting form', e);
alert('Error submitting form');
},
});
return false; //prevent form reload
});
Controller
[HttpPost]
[Route("myUrl")]
[ValidateAntiForgeryToken]
public async Task<ActionResult> MyUrlAsync(MyDto dto)
{
...
}
Another thing that can cause this (just ran into this) is the following: if you for some reason disable all your input fields in your form. it will disable the hidden input field that holds your verification token. when the form will be posted back the token value will be missing and will generate the error that it is missing. so what you need to do is to re-enable the input field that holds the verification token and all will be well.
All the other answers in here are also valid, but if none of them solve the issue it is also worth checking that the actual headers are being passed to the server.
For example, in a load balanced environment behind nginx, the default configuration is to strip out the __RequestVerificationToken header before passing the request on to the server, see: simple nginx reverse proxy seems to strip some headers
In my case it was due to adding requireSSL=true to httpcookies in webconfig which made the AntiForgeryToken stop working. Example:
<system.web>
<httpCookies httpOnlyCookies="true" requireSSL="true"/>
</system.web>
To make both requireSSL=true and @Html.AntiForgeryToken() work I added this line inside the Application_BeginRequest in Global.asax
protected void Application_BeginRequest(object sender, EventArgs e)
{
AntiForgeryConfig.RequireSsl = HttpContext.Current.Request.IsSecureConnection;
}
In my case incorrect domain in web.config for cookies was the reason:
<httpCookies domain=".wrong.domain.com" />
Sometimes you are writing a form action method with a result list. In this case, you cannot work with one action method. So you have to have two action methods with the same name. One with [HttpGet] and another with [HttpPost] attribute.
In your [HttpPost] action method, set [ValidateAntiForgeryToken] attribute and also put @Html.AntiForgeryToken() in your html form.
Also make sure avoid not use [ValidateAntiForgeryToken] under [HttpGet].
[HttpGet]
public ActionResult MethodName()
{
..
}
i'd like to share mine, i have been following this anti forgerytoken tutorial
using asp.net mvc 4 with angularjs, but it throws an exception everytime i request using $http.post and i figured out the solution is just add
'X-Requested-With': 'XMLHttpRequest' to the headers of $http.post, because it seems like the (filterContext.HttpContext.Request.IsAjaxRequest())
does not recognize it as ajax and here is my example code.
App.js
var headers = {
'X-Requested-With': 'XMLHttpRequest',
'RequestVerificationToken': $scope.token,
'Content-Type': 'application/json; charset=utf-8;'
};
$http({
method: 'POST',
url: baseURL + 'Save/User',
data: JSON.stringify($scope.formData),
headers: headers
}).then(function (values) {
alert(values.data);
}).catch(function (err) {
console.log(err.data);
});
SaveController
[HttpPost]
[MyValidateAntiForgeryToken]
public ActionResult User(UserModel usermodel)
{
....
Got this error in Chrome with default login for ASP.NET with Individual User Accounts
.cshtml:
@using (Html.BeginForm("Login", "Account", new { ReturnUrl = ViewBag.ReturnUrl }, FormMethod.Post, new { @class = "form-horizontal", role = "form" }))
{
@Html.AntiForgeryToken()
<h4>Use a local account to log in.</h4>
Controller:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
Solved by clearing site data for the site:
In my EPiServer solution on several controllers there was a ContentOutputCache attribute on the Index action which accepted HttpGet. Each view for those actions contained a form which was posting to a HttpPost action to the same controller or to a different one. As soon as I removed that attribute from all of those Index actions problem was gone.
You will receive the error even when Cookies are not enabled.
In my case, I had this javascript on the form submit:
$('form').submit(function () {
$('input').prop('disabled', true);
});
This was removing the hidden RequestVerificationToken from the form being submitted. I changed that to:
$('form').submit(function () {
$('input[type=submit]').prop('disabled', true);
$('input[type=text]').prop('readonly', true);
$('input[type=password]').prop('readonly', true);
});
... and it worked fine.
Because this comes up with the first search of this:
I had this issue only in Internet Explorer and couldnt figure out the what the issue was. Long story short it was not saving the cookie portion of the Token because our (sub)domain had an underscore in it. Worked in Chrome but IE/Edge didnt not like it.
Source: Stackoverflow.com