ASP.NET MVC AntiForgeryToken throwing its exception on GET?

I've got a weird error in a couple MVC apps that I've not noticed before; it's happening in my app (across the board) and also it happened when I tried running the latest Orchard drop (so I know it's not just my code).

Basically, the issue is that I get the exception that should be thrown when an AntiforgeryToken isn't supplied, but is expected, only I get it when I hit the GET actions; the first time I'm visiting a page.

I've traced the behavior down to happen when I rebuild an app or redeploy it. For example, I was running my site on my local IIS server, then changed the settings to run in Cassini (obviously rebuilding, etc in the middle) and I got the error. Same t开发者_如何学Ching when I scrapped a Orchard site and rebuilt it (in the same VS). Same when I redeployed a site I have on the web.

The solution I found was to clear my browser cookies, but it seems very odd that you'd get hit that error when doing a GET against an endpoint, or am I missing something?

This is because the cookie is encrypted by different environments. Without specifying an machine key for encryption, .NET uses the one buried in machine.config.

To fix add a manual machine key definition in your web.config:

<system.web>    
<machineKey validationKey="stuff" decryptionKey="stuff" validation="SHA1" decryption="AES" />

Use this to generate one:

http://aspnetresources.com/tools/keycreator.aspx

Are you positive that the action you are hitting is not decorated with [ValidateAntiForgeryToken] attribute? This exception is thrown only if you have the attribute.