Thursday, June 25, 2015

Offline, can not save EPiServer 7.x

We recently started getting an odd error message whenever we edited a page. EPiServers auto save functionality was throwing an error in the console




POST http://mysite.local/episerver/cms/Stores/contentdata/ 500 (Internal Server Error)”.

We searched the internets for some clues about what could be wrong. Many posts hinted about page properties beeing missmatched with the settings in the database





Further digging into the logs we found this

Here’s the stack trace:
[InvalidOperationException: This request has probably been tampered with. Close the browser and try again.]
   EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException() +374
   EPiServer.Shell.Services.Rest.RestHttpHandler.ProcessRequest(HttpContextBase httpContext) +109
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +913

   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

and

ERROR - 1.2.5 Unhandled exception in ASP.NET
System.InvalidOperationException: This request has probably been tampered with. Close the browser and try again.
   at EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException()
   at EPiServer.Shell.Services.Rest.RestHttpHandler.ProcessRequest(HttpContextBase httpContext)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

ERROR - Cross-site request forgery detected [Client IP: XX.XX.XX.XX, Referer: http://mysite.local/episerver/CMS/#context=epi.cms.contentdata:///317, Url: http://mysite.local/episerver/cms/Stores/contentversion/, User: UserName]

although, the error that led us to the solution was this little fella

"the required anti-forgery cookie __requestverificationtoken is not present"

It turns out that we had marked the cookies as secure (as we all should) with the configuration setting
<system.web><httpCookies requireSSL="true" /></system.web>


But we were accessing the site with http. So the real underlying error was that last one, “the required anti-forgery cookie __requestverificationtoken is not present”. The site was requesting secure anti-forgery cookies but was getting standard unsecure cookies, thus the tampering exception

The solution, query the site with https or change the setting to requireSSL=”false”