Antiforgery token validation failed even when the form that is posted contains the token #1602
Description
I'm having a weird issue that may or may not be a bug in asp related to CSRF tokens.
I have an action with the following attributes:
[HttpPost]
[ValidateAntiForgeryToken]
[Authorize]
When I post to this, I get:
Antiforgery token validation failed. The required antiforgery request token was not provided in either form field "__RequestVerificationToken" or header value "RequestVerificationToken".
If I check the HTML of the page using Chrome, I see that the form contains the following hidden input:
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8O3lgopbgsJNtDH_fqvyV9D9trRngoK8OrpG0nwsV-aBRi70ONhbzJlxd18xNg1ih7cE2oCRGfhWi1NkyS1RiqS4GRO6B5I-737ciTn3Q9ppPABkKkXoF2QBsn8FE3jMvwkaNRNDtFFV_Fgfh9R2O4DQ9JH8ruFUDXuQczjESTpAsrKJY0oNmArWaNHNvp3wUw">
This should be all that is needed, right?
However, if I manually add a @Html.AntiForgeryToken() at the top of the form, the POST succeeds.
This addition does add the following, which is the same as above:
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8O3lgopbgsJNtDH_fqvyV9D9trRngoK8OrpG0nwsV-aBRi70ONhbzJlxd18xNg1ih7cE2oCRGfhWi1NkyS1RiqS4GRO6B5I-737ciTn3Q9ppPABkKkXoF2QBsn8FE3jMvwkaNRNDtFFV_Fgfh9R2O4DQ9JH8ruFUDXuQczjESTpAsrKJY0oNmArWaNHNvp3wUw">
So by the end of it, I have duplicate __RequestVerificationToken inputs on my form. One that is automatically injected, and the other I manually inject through the @Html helper... but the post only succeeds if I manually use the helper.
Relevant packages:
"Microsoft.AspNetCore.Mvc": "1.0.0-rc2-final"