Anti Forgery Token and Machine Key

If working on Asp.Net MVC, you will know the anti-forgery token that helps to protect our website against cross-site request forgery.

To use this feature, call the AntiForgeryToken method from a form and add the ValidateAntiForgeryToken attribute to the action method that you want to protect.

  • Call AntiForgeryToken from a form

  • Add ValidateAntiForgeryToken attribute to the post action

How does it work?

When calling the AntiForgeryToken method inside a form, the AspNet will generate an encrypted AntiForgeryToken, pub into a hidden field and then send to the browser. When the browser submits the form back to the server, the token will be decrypted and validated to ensure that the request is genuine before execute the destination action method as long as the action method had been marked by ValidateAntiForgeryTokenAttribute.

The generated token looks like this:

What is the issue?

When deploy the website into an environment that has multi servers are load balancing together (web farm) you may facing with below issue when click the submit button.

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

Why did this issue happen?

Assume that the environment has two servers are load balancing as the below diagram:

Farm servers diagram

Internally, the AspNet will use two keys (decryptionKey and validationKey) for token encryption/description and validation token. By default, these keys will be generated randomly when website start.

So, looks at the diagram above there are two instances of the website are hosting on different web servers in the single web farm. So that when both of them start a set of keys will be generated for each instance are differently.

Now, a request from user A had been redirected to the server 1 by the load balancer, the website in will response a view with an encrypted AntiForgeryToken. Later on, user A submits back the form to the load balancer and hopefully that the form will be captured and to be processed by the server 1.

Unfortunately, the load balancer now redirects that request to the server 2 instead and definitely, the token that had been encrypted by the server 1 can’t be decrypted on the server 2 because the keys are different. So the error was thrown.

The idea to fix this issue is ensuring all instances of the website using the same set of keys for the encryption/description and validation in the single web farm.

  • The keys should be different on each website on the same server. So if you have multi websites are hosting on the same server they keys should be unique.
  • The keys should be different on each environment for the same website. So if your website is hosting in multi-environments ensure that the keys on each environment are differently as well.

The solution for IIS

The idea is how to share the set of keys across the servers in the farm. So that the encrypt and decrypt process can happen on any server successfully.

Fortunately, When hosted an AspNet MVC website on IIS you can generate a set of keys by below steps

  1. Click on the website on IIS.
  2. Double click on Machine Key
  3. Uncheck all checkboxes and click Generate button at the right side and then click apply.
  4. The keys will be saved into the web.config file of the website.
  5. Open the web.config file, copy that keys and apply across to all website instances on the single farm.

Now, try the submit your website again. The issue should be resolved.

4 thoughts on “Anti Forgery Token and Machine Key

Leave a Reply

Your email address will not be published. Required fields are marked *