Bypassing Sitecore’s Request Verification

T_CSRF_Token_03

This is going to be a fairly short blog post, but hopefully helps someone else out there. Recently, I came across the dreaded RequestVerificationToken is not present error while troubleshooting why Content Testing wasn’t working.  As of this blog post, I still don’t know what is in my code that is breaking request verification, however, I was able to confirm how to get around it.

The error that I was seeing is:

"ErrorMessage":"The required anti-forgery cookie \"__RequestVerificationToken\" is not present."

"ExceptionType":"System.Web.Mvc.HttpAntiForgeryException","StackTrace":" at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
 at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext, String cookieToken, String formToken)
 at Sitecore.Web.Http.Filters.ValidateHttpAntiForgeryTokenAttribute.OnAuthorization(HttpActionContext actionContext)"

Typically, the cause of this issue within Sitecore is due to bad cookies or invalid login token. This is commonly fixed by clearing your cookies in your browser and refreshing the page. (You see this commonly with Sitecore Analytics REST calls).

But what if that doesn’t work?  Is the issue really with Request Verification or some kind of underlying error?

After doing a fair amount of sleuthing through decompiled binaries, I discovered an undocumented Sitecore Configuration Setting called IsAuthorizationBypassAllowed. This setting, when set to true will ignore Request Validation checking on Controllers where the ValidateHttpAntiForgeryToken attribute is set.

To set this, create a patch file that sets the following setting:

<setting name="Sitecore.Web.IsAuthorizationBypassAllowed" value="true" />

Big Security Risk

It should be noted that it is a security risk to have this setting set to true. It should only be set in environments where you have tightly controlled security, such as Content Management servers.

You should also consider this setting a Stop Gap measure. Use it only for testing to see if the issue you are experiencing is related to Request Verification or something else. Remember to go back and remove this setting or set it back to false when you have corrected the root issue.

Applies to all versions of Sitecore 8.0, 8.1, 8.2 and Sitecore 9.0

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s