AntiForgeryToken doesn't validate across sub project of same solution


I am implementing CSRF in MVC application. I created custom attribute to validate token as my inputs are json encode and call by Ajax. It works fine in the same project but when any button or link call url across different project in same solution then it doesn't validate the token. E.g logoff is in main page and calling different project's controller in the same solution. It keep on throwing "The anti-forgery cookie token and form field token do not match." I have machine key already set up in the web configs. Can you guys please help me figure it out this issue.

Thank you

logoff method - main.js file in main project

                    url: config.authenticationUrl + '/Account/LogOff',
                    method: 'POST',
                    data: serialisedExtent,
                    contentType: 'application/json',
                    headers: {
                        '__RequestVerificationToken': $('input[name=__RequestVerificationToken]').val()

Controller method in account controller in authentication project

        public async Task<ActionResult> LogOff([ModelBinder(typeof(JsonNetModelBinder))] Exten extent)
            if (User != null &&
                User.Identity != null &&

public sealed class ValidateHeaderAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
        public void OnAuthorization(AuthorizationContext filterContext)
            if (filterContext == null)
                throw new ArgumentNullException("filterContext");

            var httpContext = filterContext.HttpContext;
            var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
            AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Headers["__RequestVerificationToken"]);


The anti-forgery cookie token and form field token do not match.] [exception : System.Web.Mvc.HttpAntiForgeryException (0x80004005): The anti-forgery cookie token and form field token do not match. at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken) at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext, String cookieToken, String formToken) at ValidateHeaderAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext) in at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass3_1.b__0(AsyncCallback asyncCallback, Object asyncState)] [method : ] [caller : ] [context : ]

asked on Stack Overflow Sep 9, 2019 by HNP • edited Sep 9, 2019 by Sergey Kudriavtsev

1 Answer


Try configuring all applications in your solution to specify the same ApplicationDiscriminator value:

var dataProtectionBuilder = services.AddDataProtection(configure =>
    configure.ApplicationDiscriminator = "SharedAppName";

An identifier that uniquely discriminates this application from all other applications on the machine. The discriminator value is implicitly included in all protected payloads generated by the data protection system to isolate multiple logical applications that all happen to be using the same key material.

If two different applications need to share protected payloads, they should ensure that this property is set to the same value across both applications.

answered on Stack Overflow Sep 9, 2019 by Jan Doubek • edited Sep 9, 2019 by Jan Doubek

User contributions licensed under CC BY-SA 3.0