Thursday, June 25, 2015

Offline, can not save EPiServer 7.x

We recently started getting an odd error message whenever we edited a page. EPiServers auto save functionality was throwing an error in the console




POST http://mysite.local/episerver/cms/Stores/contentdata/ 500 (Internal Server Error)”.

We searched the internets for some clues about what could be wrong. Many posts hinted about page properties beeing missmatched with the settings in the database





Further digging into the logs we found this

Here’s the stack trace:
[InvalidOperationException: This request has probably been tampered with. Close the browser and try again.]
   EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException() +374
   EPiServer.Shell.Services.Rest.RestHttpHandler.ProcessRequest(HttpContextBase httpContext) +109
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +913

   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165

and

ERROR - 1.2.5 Unhandled exception in ASP.NET
System.InvalidOperationException: This request has probably been tampered with. Close the browser and try again.
   at EPiServer.Framework.Web.AspNetAntiForgery.ThrowForgeryException()
   at EPiServer.Shell.Services.Rest.RestHttpHandler.ProcessRequest(HttpContextBase httpContext)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

ERROR - Cross-site request forgery detected [Client IP: XX.XX.XX.XX, Referer: http://mysite.local/episerver/CMS/#context=epi.cms.contentdata:///317, Url: http://mysite.local/episerver/cms/Stores/contentversion/, User: UserName]

although, the error that led us to the solution was this little fella

"the required anti-forgery cookie __requestverificationtoken is not present"

It turns out that we had marked the cookies as secure (as we all should) with the configuration setting
<system.web><httpCookies requireSSL="true" /></system.web>


But we were accessing the site with http. So the real underlying error was that last one, “the required anti-forgery cookie __requestverificationtoken is not present”. The site was requesting secure anti-forgery cookies but was getting standard unsecure cookies, thus the tampering exception

The solution, query the site with https or change the setting to requireSSL=”false”

6 comments :

  1. Thanks for sharing, nice post! Post really provice useful information!

    Hương Lâm chuyên cung cấp bán máy photocopy và dịch vụ cho thuê máy photocopy giá rẻ, uy tín TP.HCM với dòng máy photocopy toshiba và dòng máy photocopy ricoh uy tín, giá rẻ.

    ReplyDelete
  2. Actually no matter if someone doesn't be aware of after that its up to other users that they will help, so here it takes place.
    섯다
    고스톱

    ReplyDelete
  3. Hi there excellent blog! Does running a blog like this take a lot of work?
    I’ve very little knowledge of coding but I was hoping to start my own blog in the near future.
    Anyways, should you have any ideas or techniques for new blog owners please share.
    I know this is off subject nevertheless I simply wanted to ask.
    Thank you!
    스포츠토토
    스포츠토토

    ReplyDelete
  4. Hi there, I found your blog by the use of Google while looking for a related subject, your site came up, it appears good. I've bookmarked it in my google bookmarks.
    성인웹툰
    일본야동

    ReplyDelete
  5. Attractive component of content. I just stumbled upon your site and in accession capital to claim that I acquire actually enjoyed account your blog posts. Anyway I will be subscribing for your feeds or even I success you access consistently quickly.
    안전놀이터
    토토사이트

    ReplyDelete