Saturday, August 3, 2013

How To Solve The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster. Error In Asp.Net MVC!


The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

Isn't that a beautiful error? Recently, while working on a website I created in Asp.Net MVC 4, I got this error. How you ask? I'm so glad you asked! The website is hosted right now and I am developing it on my local development machine and pushing the changes to the actual website. From time to time, I leave my computer and leave the website up. There have been times when I was logged into the website, walked away, came back after the session timed out and clicked on a link on the site only to have the site route me to the sign in page. That is the expected behavior. What isn't expected, is that when I try to sign in I get this beautiful error -

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

Now WHY do I think this is a beautiful error? Well unlike some errors you get while developing, this error actually means EXACTLY what it says! I am using the Antiforgery token system in Mvc. You call that using this syntax @Html.Antiforgery(). When you use this system straight out of the box, the encryption and validation keys are auto-generated at runtime for you. That is great - until the session terminates. At that point, the system loses a reference to those auto-generated keys. Then, when you are kicked out of the system and have to come back, it still has a reference to the old keys, but those are not usable anymore - since the system generated new ones for your new session. All of a sudden, the new one the system generated and the old one your page is referencing are not in sync and you get the error.

So what can you do? The answer is simple - follow directions and generate the keys in your web.config file! Add the following to your site's web.config file.

<configuration>
  <system.web>
    <machineKey decryptionKey="Decryption key goes here, IsolateApps"
                validationKey="Validation key goes here, IsolateApps" />
  </system.web>
</configuration>
You can generate keys by going into IIS and clicking on Machine Key - if you have the right version and IIS features installed. You will not see Machine Key if you don't. If you don't, you can go to the Control Panel and install additional IIS features. Then, paste those keys into the code above. That will allow the Antiforgery system to work off of those instead of autogenerating.

Problem solved!
I just love it when a plan comes together! Don't you?

Smooches,

Kila Morton