Hacking Sitecore and Life one pipeline at a time!

Bypassing Sitecore’s Request Verification


This is going to be a fairly short blog post, but hopefully helps someone else out there. Recently, I came across the dreaded RequestVerificationToken is not present error while troubleshooting why Content Testing wasn’t working.  As of this blog post, I still don’t know what is in my code that is breaking request verification, however, I was able to confirm how to get around it.

The error that I was seeing is:

"ErrorMessage":"The required anti-forgery cookie \"__RequestVerificationToken\" is not present."

"ExceptionType":"System.Web.Mvc.HttpAntiForgeryException","StackTrace":" at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
 at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext, String cookieToken, String formToken)
 at Sitecore.Web.Http.Filters.ValidateHttpAntiForgeryTokenAttribute.OnAuthorization(HttpActionContext actionContext)"

Typically, the cause of this issue within Sitecore is due to bad cookies or invalid login token. This is commonly fixed by clearing your cookies in your browser and refreshing the page. (You see this commonly with Sitecore Analytics REST calls).

But what if that doesn’t work?  Is the issue really with Request Verification or some kind of underlying error?

After doing a fair amount of sleuthing through decompiled binaries, I discovered an undocumented Sitecore Configuration Setting called IsAuthorizationBypassAllowed. This setting, when set to true will ignore Request Validation checking on Controllers where the ValidateHttpAntiForgeryToken attribute is set.

To set this, create a patch file that sets the following setting:

<setting name="Sitecore.Web.IsAuthorizationBypassAllowed" value="true" />

Big Security Risk

It should be noted that it is a security risk to have this setting set to true. It should only be set in environments where you have tightly controlled security, such as Content Management servers.

You should also consider this setting a Stop Gap measure. Use it only for testing to see if the issue you are experiencing is related to Request Verification or something else. Remember to go back and remove this setting or set it back to false when you have corrected the root issue.

Applies to all versions of Sitecore 8.0, 8.1, 8.2 and Sitecore 9.0

Categorised in: Sitecore, Technology, Uncategorized

2 Responses »

  1. Hi Pete,
    I’ve tried this (Sitecore 9.0.1 on Azure) but seems not to work. I’ve added the setting directly in Sitecore.config. Any specific place this should be added?



    • I normally don’t put these types of changes directly in the Sitecore.config… and instead use patch files. That being said, it shouldn’t matter as long as it’s correctly added. If this isn’t solving your specific issue, it could be there’s another issue getting in the way. I would analyze your logs and make sure there aren’t other errors occuring.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 1,238 other subscribers

Blog Stats

  • 132,847 hits
Follow Sitecore Hacker on WordPress.com
Sitecore® and Own the Experience® are registered trademarks of Sitecore Corporation A/S in the U.S. and other countries.  This website is independent of Sitecore Corporation, and is not affiliated with or sponsored by Sitecore Corporation.
%d bloggers like this: