Bypassing Sitecore’s Request Verification

T_CSRF_Token_03

This is going to be a fairly short blog post, but hopefully helps someone else out there. Recently, I came across the dreaded RequestVerificationToken is not present error while troubleshooting why Content Testing wasn’t working.  As of this blog post, I still don’t know what is in my code that is breaking request verification, however, I was able to confirm how to get around it.

The error that I was seeing is:

"ErrorMessage":"The required anti-forgery cookie \"__RequestVerificationToken\" is not present."

"ExceptionType":"System.Web.Mvc.HttpAntiForgeryException","StackTrace":" at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken)
 at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext, String cookieToken, String formToken)
 at Sitecore.Web.Http.Filters.ValidateHttpAntiForgeryTokenAttribute.OnAuthorization(HttpActionContext actionContext)"

Typically, the cause of this issue within Sitecore is due to bad cookies or invalid login token. This is commonly fixed by clearing your cookies in your browser and refreshing the page. (You see this commonly with Sitecore Analytics REST calls).

But what if that doesn’t work?  Is the issue really with Request Verification or some kind of underlying error?

After doing a fair amount of sleuthing through decompiled binaries, I discovered an undocumented Sitecore Configuration Setting called IsAuthorizationBypassAllowed. This setting, when set to true will ignore Request Validation checking on Controllers where the ValidateHttpAntiForgeryToken attribute is set.

To set this, create a patch file that sets the following setting:

<setting name="Sitecore.Web.IsAuthorizationBypassAllowed" value="true" />

Big Security Risk

It should be noted that it is a security risk to have this setting set to true. It should only be set in environments where you have tightly controlled security, such as Content Management servers.

You should also consider this setting a Stop Gap measure. Use it only for testing to see if the issue you are experiencing is related to Request Verification or something else. Remember to go back and remove this setting or set it back to false when you have corrected the root issue.

Applies to all versions of Sitecore 8.0, 8.1, 8.2 and Sitecore 9.0

2 thoughts on “Bypassing Sitecore’s Request Verification

  1. Hi Pete,
    I’ve tried this (Sitecore 9.0.1 on Azure) but seems not to work. I’ve added the setting directly in Sitecore.config. Any specific place this should be added?

    Thanks

    Like

    • I normally don’t put these types of changes directly in the Sitecore.config… and instead use patch files. That being said, it shouldn’t matter as long as it’s correctly added. If this isn’t solving your specific issue, it could be there’s another issue getting in the way. I would analyze your logs and make sure there aren’t other errors occuring.

      Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s