The anti-forgery token could not be decrypted
This page was created by Hans.karlsen on 2023-03-07. Last edited by Edgar on 2025-01-20.
The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
This page, produced by us, contains an ID (antiforgerytoken). It is new each time.
It is generated from a key value on the server (machineKey).
If you have a webfarm (more than one frontend), this key value on the server should be the same for all servers.
When ASP.NET gets a postback from a page with an anti-forgery token, it tries to verify it.
The goal is to avoid someone taking an old page and re-posting it multiple times.
If you wait for a long time from page gen to postback, the token may expire.