Saturday, August 3, 2013

How To Solve The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster. Error In Asp.Net MVC!


The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

Isn't that a beautiful error? Recently, while working on a website I created in Asp.Net MVC 4, I got this error. How you ask? I'm so glad you asked! The website is hosted right now and I am developing it on my local development machine and pushing the changes to the actual website. From time to time, I leave my computer and leave the website up. There have been times when I was logged into the website, walked away, came back after the session timed out and clicked on a link on the site only to have the site route me to the sign in page. That is the expected behavior. What isn't expected, is that when I try to sign in I get this beautiful error -

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

Now WHY do I think this is a beautiful error? Well unlike some errors you get while developing, this error actually means EXACTLY what it says! I am using the Antiforgery token system in Mvc. You call that using this syntax @Html.Antiforgery(). When you use this system straight out of the box, the encryption and validation keys are auto-generated at runtime for you. That is great - until the session terminates. At that point, the system loses a reference to those auto-generated keys. Then, when you are kicked out of the system and have to come back, it still has a reference to the old keys, but those are not usable anymore - since the system generated new ones for your new session. All of a sudden, the new one the system generated and the old one your page is referencing are not in sync and you get the error.

So what can you do? The answer is simple - follow directions and generate the keys in your web.config file! Add the following to your site's web.config file.

<configuration>
  <system.web>
    <machineKey decryptionKey="Decryption key goes here, IsolateApps"
                validationKey="Validation key goes here, IsolateApps" />
  </system.web>
</configuration>
You can generate keys by going into IIS and clicking on Machine Key - if you have the right version and IIS features installed. You will not see Machine Key if you don't. If you don't, you can go to the Control Panel and install additional IIS features. Then, paste those keys into the code above. That will allow the Antiforgery system to work off of those instead of autogenerating.

Problem solved!
I just love it when a plan comes together! Don't you?

Smooches,

Kila Morton
 

20 comments:

Unknown said...

I put a machine key in both of my project's web.config files and I already checked that there is no multiple @Html.AntiForgeryToken() . I have two projects developed in Asp.Net 4, when deployed locally give me fallowing error on first attempt and there is no problem on second time. I also delete the cookies and browsing history, just to make sure but same result. you can check my question on stackoverflow http://stackoverflow.com/questions/20655931/on-initial-login-on-local-site-getting-anti-forgery-cookie-token-error-when-try

Any idea????

Kila Morton said...

Hi Ikram!
You said that you already checked that there are NOT multiple @Html.AntiForgeryToken() references, but I'm not convinced. So let me ask you something.
Do you have ANY Partials being referenced in your view? Did you check those partials to see if you included the AntiForgeryTokens in them? If you want real help, post another comment. You and I can converse and use some tool to allow you to show me your code. I could be wrong, but it sounds like you have a second token somewhere.

Unknown said...

Thanks a lot, you solved my problem

kevin said...

Thanks a lot, I had @Html.AntiForgeryToken() in my partial view and it made repeating the key. Once remeoved, problem solved.

Kevin Ross said...

Hello Kila Morton,

After adding your given code in web.config file my site website gives me error.

Unknown said...

Many Thanks.It solved my problem and i'll aware of this problem as you explained the solution very clearly.
Thanks

Phillip Spring said...

marry me. now.

Doremon said...

Thanks for the post! Great tip!

Unknown said...

Hi guy, it's not work for me :(
I put the machine key on my web.config, and run my application.. but, the same error is displayed when i'll login on the site...

I created a topic on msdn (pt-br), if you can see, or ask me here what i need to do, i'll be very great, tks

http://social.msdn.microsoft.com/Forums/pt-BR/0e4b8427-fc3e-4f2b-b782-d60ea3d2b7f7/the-antiforgery-token-could-not-be-decrypted-erro-aparece-com-machine-key-no-webconfig-?forum=mvcpt

Anonymous said...

Thanks a lot guys ...

Gururaj said...

kila mortan thanksssssssss....

Unknown said...

Just wanted to say thanks - this solved my problem (almost)! Very helpful :-)

When I generated the Hex code, I received an error "Decryption key specified has invalid hex characters". I fixed this by removing ",IsolateApps" from the string. More info here: http://stackoverflow.com/questions/15002960/isolateapps-causes-decryption-key-specified-has-invalid-hex-characters

Unknown said...

I put the machine key in the web.config at the .NET installation folder at C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config and removed the key in the solutions.Should this not mean that the same key is used across the apps in the server.But I am still getting this error.What could be the reason.

Joseph said...

Great, in my case, remove ",IsolateApps" from both keys to avoid a web.config compilation error

น้องส้มส้ม said...

I'm interested in reading this very much. Because this makes me know a lot of it. For anyone who wants to know this, read it.



gclub

Ahamed Shaamil said...

I may be way too late to comment on this but have a small question. I also came across this problem when redirected to the login page after session timed out. If we are to deploy the web application to a new environment. Shouldn't we do this manually on those environments as well ? like during deployment we have to add a manual step to go to IIS get the keys and update the keys in the web.config. Also what if the IIS in the new environment has configured to Automatically generate instead of fixed values.

Shoukat Malik said...

we are using request from multiple servers a few days before when i added csrf on login page .it giving the below error .

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster., URL->https://akhbaar24.argaam.com/account/validateloginargaam, Controller -> account , at -> 1/5/2020 2:18:32 PM, Host -> 10.0.10.162, Client IP -> 94.200.83.222 ]]> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
at System.Web.Helpers.AntiXsrf.AntiForgeryTokenSerializer.Deserialize(String serializedToken)
at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext)
at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor)
at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.b__1e(AsyncCallback asyncCallback, Object asyncState)]]><log4j:locationInfo class="Akhbaar24_PP_Web.Controllers.BaseController"

Shoukat Malik said...


I have checked my code i used single antiforgery token. There is no duplication of key.

JW said...

Thank you for this post....it REALLY helped me!!
BTW: I LOVE your style!!! You Rock

"smooches"
JW

Anonymous said...

Thanks for this post. If my app is hosted in a webfarm under Load balancer, just wanted to check if we can configure the machine key in one server in IIS and copy the same to other server instead adding it manually to web.config file. Please advise