Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Cathrin Münzenmaier 3 posts 73 karma points
    Jul 24, 2023 @ 13:34
    Cathrin Münzenmaier
    0

    Umbraco Forms antiforgery cookie not present

    Hi there,

    when submitting a form (via Umbraco Forms) we're receiving the following server error: "Microsoft.AspNetCore.Antiforgery.AntiforgeryValidationException: The required antiforgery cookie is not present.".

    This behaviour occurs quite randomly, since this happens on multiple browsers. Even the UMB* system cookies are not being set, when this error occurs. But sometimes the form is being submitted without errors and with the needed cookies present.

    We are currently on Umbraco Forms version 10.4.0 (Umbraco Cms version 10.5.1) but it happend also on version 9.5.2 (Umbraco Cms version 9.5.2). The hidden field with the _RequestVerificationToken is rendered everytime.

    We tried to render the form from a view component instead of the RTE but that doesn't changed anything.

    Does anybody have this issue too or an idea what we can try to fix it?

  • Cai Lehwald 3 posts 23 karma points
    Sep 12, 2023 @ 10:01
    Cai Lehwald
    0

    We are also having this issue on Umbraco 8.18.9 Forms version 8.13.10 hosted on azure.

    I have enabled some exception reporting in the Global.asax.cs to notify me when the issue occurs and there seems to be no rhyme or reason to it.

    It happens intermittently for any browser or device on any form which makes it impossible to recreate for debugging.

    We have tried turning off all azure instance scaling and disabling caching but i still get exception reports indicating its occurring to genuine users.

    This biggest issue with this problem is it throws a server error only after the user has filled out the form and tried to submit, which wastes their time.

    As a temporary solution I tried to see if I could detect if the cookie has been set on page load to prompt the user to refresh but as a http only cookie its not accessible via JavaScript and can't be detected in the view as it wont exist until after @Html.AntiForgeryToken() has run.

    There is a form validate event we can hook into via an IUserComposer:

    public void Compose(Composition composition)
    {
        // Attach a handler to the `FormValidate` event of UmbracoForms
        UForms.Web.Controllers.UmbracoFormsController.FormValidate += FormsController_FormValidate;
    }
    

    I'm going to attempt to detect the cookie there and throw a validation error if its missing hopefully preventing the server error and allowing the user to refresh the page. Theoretically that would set the cookie without losing field data. I'll let you know how that works out.

  • Cai Lehwald 3 posts 23 karma points
    Sep 12, 2023 @ 10:32
    Cai Lehwald
    0

    Unfortunately that idea didn't work. The server error to check for the cookie gets thrown before the validate event is triggered.

  • Cai Lehwald 3 posts 23 karma points
    Sep 12, 2023 @ 12:52
    Cai Lehwald
    0

    It's a little roundabout but i have a solution to at least confirm the cookie exists for the user and warn them.

    Register an API controller like so to inject the IHttpContextAccessor and return true or false if the cookie exists in the request :

     public class FormsController : UmbracoApiController
    {
        private readonly IHttpContextAccessor httpContextAccessor;
    
        public FormsController(IHttpContextAccessor httpContextAccessor)
        {
            this.httpContextAccessor = httpContextAccessor;
        }
    
        [Route("CheckToken")]
        [HttpGet]
        public bool CheckToken()
        {
            var token = httpContextAccessor.HttpContext.Request.Cookies.Get("__RequestVerificationToken");
    
            return token != null;
        }
    }
    

    Add a small bit of JavaScript (I'm also using jQuery here) to query the API from the client and let the user know if the cookie is missing in the request:

    var formPage = $('.umbraco-forms-form');
    
    if (formPage[0] != undefined) {
        $.get(domain + "/api/forms/CheckToken", function (response) {
            if (response == false) {
                formPage.prepend('(Your cookie missing warning html message)')
            }
        });
    }
    

    Note retrieving a cookie is different in U9+ because of .NET Core so you will need to something along the lines of Request.Cookies["__RequestVerificationToken"] instead if .Get()

Please Sign in or register to post replies

Write your reply to:

Draft