Anti Forgery with Blazor Server App

Question

Anti Forgery with Blazor Server App

Balu Raju 81

we upgraded our blazor server app from .Net 6 to .Net 8 following the instructions from https://free.blessedness.top/en-us/aspnet/core/migration/70-80?view=aspnetcore-8.0&tabs=visual-studio Below is the snippet from the Program.cs where app.UseAntiForgery() is called. Our Blazor app calls several API calls hosted separately on the IIS server as the Blazor Server App is hosted on. While this works in VS IDE using IIS express (localhost), it does not work when it is hosted on the IIS Server. I see the following error in the event log. "The Anitforgery Token could not be decrypted. User's image

In the Development tool I see the following User's image

Code snippet from Program.cs app.UseHttpsRedirection(); app.UseSession(); app.UseStaticFiles(); app.UseAuthentication(); app.UseAuthorization(); app.UseRouting(); app.UseAntiforgery(); app.MapControllers(); app.MapRazorComponents<App>() .AddInteractiveServerRenderMode(); app.Run();

AgaveJoe 30,396 Reputation points

2024-02-09T18:27:43.08+00:00

Are you sure the event viewer log with the anti-forgery token message is related to the error messages in Dev tools? Dev tools indicates that the server cannot establish a Web Socket connection and it dropped back to long polling. Is the web socket feature enabled on the web server? Is the web socket url correct? Have you tried creating an new .NET 8 Blazor Web Application and deploying it to your server? Do you get the same error message?
Balu Raju 81 Reputation points

2024-02-09T18:41:26.56+00:00

The error about AntiForgery that I see in the event log happens when I try to launch right after recycling the application pool. simultaneously, I see the errors I see in dev tools. but the error I see in the dev tools happens everytime, first time and subsequent times. So,they may not be related.
Web socket was not enabled first but then that shouldn't be a problem. Any ways now I enabled the web socket that to be sure if that makes any difference, but it does not here is the new Dev Tool error
Bruce (SqlWork.com) 81,206 Reputation points Volunteer Moderator

2024-02-09T19:29:17.21+00:00

if you recycle the app pool, all the existing anti-forgery token are invalid. your blazor code should detect the invalid-token and request a new one.
Williams, Billy P 0 Reputation points

2025-10-09T11:53:44.8033333+00:00

I am having this similar issue where if someone is logged off out of inactivity and I deploy an update that resets the app pool if they try and log in it throws the antiforgery exception. Is there a way when they click to login it can force a refresh to crab a new one if the old one is not valid anymore? I feel like I am missing something really simple. Thanks!

2 answers

Your answer

AgaveJoe 30,396 Reputation points

2024-02-09T18:27:43.08+00:00

Are you sure the event viewer log with the anti-forgery token message is related to the error messages in Dev tools? Dev tools indicates that the server cannot establish a Web Socket connection and it dropped back to long polling. Is the web socket feature enabled on the web server? Is the web socket url correct? Have you tried creating an new .NET 8 Blazor Web Application and deploying it to your server? Do you get the same error message?
Balu Raju 81 Reputation points

2024-02-09T18:41:26.56+00:00

The error about AntiForgery that I see in the event log happens when I try to launch right after recycling the application pool. simultaneously, I see the errors I see in dev tools. but the error I see in the dev tools happens everytime, first time and subsequent times. So,they may not be related.
Web socket was not enabled first but then that shouldn't be a problem. Any ways now I enabled the web socket that to be sure if that makes any difference, but it does not here is the new Dev Tool error
Bruce (SqlWork.com) 81,206 Reputation points Volunteer Moderator

2024-02-09T19:29:17.21+00:00

if you recycle the app pool, all the existing anti-forgery token are invalid. your blazor code should detect the invalid-token and request a new one.
Williams, Billy P 0 Reputation points

2025-10-09T11:53:44.8033333+00:00

I am having this similar issue where if someone is logged off out of inactivity and I deploy an update that resets the app pool if they try and log in it throws the antiforgery exception. Is there a way when they click to login it can force a refresh to crab a new one if the old one is not valid anymore? I feel like I am missing something really simple. Thanks!

Answer 1

Balu Raju 81

the two errors that I mentioned above are unrelated. Even though I get the error about AntiForgery Token that was not preventing the app from loading. It was the error that I mentioned from the DevTools. Strangely that due to Case Senstive Url. The original application URL as it is deployed in the IIS structure is "https://mysite.com/Portal", but I was trying with https://mysite.com/portal. Once I ensured it takes right case URL, the error is gone and the application loaded successfully. Now this Case -Sensitive URL could be a problem that my clients may not be happy with but at least I know that is the issue. SO Anti forgery token issue is really not the issue even though it was an error but still loading the app. Any suggestion on making URL Case-INsensitive.

AgaveJoe 30,396 Reputation points

2024-02-09T20:35:59.9+00:00

URLs are not case sensitive. You must have C# code somewhere that's doing something with the URL. Perhaps something to with routes.

Answer 2

Balu Raju 81

No the URL is generated by the Deployment tool we use to deploy/host the application on the IIS server to give flexibility to our clients who deploy the app on their side. Depending on how/where they host - whether they host it directly under the site or under sub directory, etc. So the URL is not hardcoded in our application code. When I say it is case-sensitive I'm only talking about the sub directory portion in the URL. the domain part is fine to be case-insensitive. https://mysite.com/Portal vs https://mysite.com/portal

Anonymous

2024-02-13T08:18:40.2133333+00:00

According to your description now, it seems the deployment tool will deploy the application to a sub folder with different case-insensitive folder which caused the issue. If avoid the case-insensitive could solve the issuel, I suggest you could consider using the url rewrite to convert the url to lower-sensitive url.

Share via

Anti Forgery with Blazor Server App

2 answers

Your answer