We recently started getting an odd error message whenever we edited a page. EPiServers auto save functionality was throwing an error in the console
“POST http://mysite.local/episerver/cms/Stores/contentdata/
500 (Internal Server Error)”.
Further digging into the logs we found this
Here’s the
stack trace:
[InvalidOperationException:
This request has probably been tampered with. Close the browser and try again.]
EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException() +374
EPiServer.Shell.Services.Rest.RestHttpHandler.ProcessRequest(HttpContextBase
httpContext) +109
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+913
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +165
and
ERROR - 1.2.5 Unhandled exception in ASP.NET
System.InvalidOperationException: This request has probably been tampered with. Close the browser and try again.
at EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException()
at EPiServer.Shell.Services.Rest.RestHttpHandler.ProcessRequest(HttpContextBase httpContext)
at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
ERROR - Cross-site request forgery detected [Client IP: XX.XX.XX.XX, Referer: http://mysite.local/episerver/CMS/#context=epi.cms.contentdata:///317, Url: http://mysite.local/episerver/cms/Stores/contentversion/, User: UserName]
although, the error that led us to the solution was this little fella
"the required anti-forgery cookie __requestverificationtoken is not present"
<system.web><httpCookies requireSSL="true" /></system.web>
But we were accessing the site with http. So the real underlying error was that last one, “the required anti-forgery cookie __requestverificationtoken is not present”. The site was requesting secure anti-forgery cookies but was getting standard unsecure cookies, thus the tampering exception
The solution, query the site with https or change the setting to requireSSL=”false”