CSRF token errors in CMS interface after release

Ryan Anthoney asked on January 23, 2020 18:02

Hi there,

We've done a recent release to our Kentico 11 solution. Nothing much in it, just rendering some webforms fields with data in a pre-existing template.

However it's caused an issue whereby we can't expand any of the pages within the 'Pages' application. Upon doing so we hit a 500 error in the console with the following error in the error log.

Message: Exception of type 'System.Web.HttpUnhandledException' was thrown.Exception type: System.Web.HttpUnhandledException Stack trace: at System.Web.UI.Page.HandleError(Exception e) at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) at System.Web.UI.Page.ProcessRequest() at System.Web.UI.Page.ProcessRequest(HttpContext context) at ASP.cmsmodules_content_cmsdesk_default_aspx.ProcessRequest(HttpContext context) at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step) at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

Message: The CSRF hidden field value didn't match the CSRF cookie value.

Exception type: CMS.Protection.Web.UI.CsrfException Stack trace: at CMS.Protection.Web.UI.CsrfProtection.ThrowCsrfException(String message, Exception innerException) at CMS.Protection.Web.UI.CsrfProtection.ValidateCsrfTokens(Byte[] cookieToken, Byte[] hiddenFieldToken) at CMS.Protection.Web.UI.CsrfProtection.ValidateTokenInPage(Byte[] csrfToken) at System.EventHandler.Invoke(Object sender, EventArgs e) at System.Web.UI.Page.OnPreInit(EventArgs e) at CMS.UIControls.AbstractCMSPage.OnPreInit(EventArgs e) at CMS.UIControls.CMSPage.OnPreInit(EventArgs e) at CMSModules_Content_CMSDesk_Default.OnPreInit(EventArgs e) in {--------------------}\CMS\CMSModules\Content\CMSDesk\Default.aspx.cs:line 170 at System.Web.UI.Page.PerformPreInit() at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) Machine name:RCL16-WEB-03 Event URL:/CMSModules/Content/CMSDesk/Default.aspx URL referrer:---------------------------/CMSModules/Content/CMSDesk/Default.aspx

I can't replicate this issue locally and even more strange, if I run the website via RDP on the server it is hosted on I don't get the issue. I

kentico 11 csrf

Recent Answers

Dat Nguyen answered on January 23, 2020 18:18

Try using an Incognito window in Google Chrome or using Private Browsing Mode in Firefox to see if this error will go away.

0 votesVote for this answer Mark as a Correct answer

Ryan Anthoney answered on January 23, 2020 18:26

Thanks Dat,

Unfortunately that hasn't solved the issue. What I have discovered though is that if I try to expand the content tree items quick enough before the preview pane loads on the right it works. But consequent attempts afterwards then 500 error. What I think must be happening is the CSRF cookie is being set but then something is causing the ViewState hidden field to be regenerated causing them to mismatch.

I've got no idea how to find out what could be causing this though.

0 votesVote for this answer Mark as a Correct answer

Dat Nguyen answered on January 23, 2020 18:44

Any chance you're not using the right protocol (http/https)?

0 votesVote for this answer Mark as a Correct answer

Ryan Anthoney answered on January 23, 2020 18:46

Unfortunately not,

I'm using the right protocol. It's odd that it seems to be related to this most recent release but there haven't been any relevant changes that would affect it

0 votesVote for this answer Mark as a Correct answer