port135.com

Anti-forgery token and anti-forgery cookie related issues

Anti-forgery token prevents CSRF (Cross-Site Request Forgery) attacks. The server associates this token with current user’s identity and sends it to the client. In the next request from client, the server expects to see this token. If the token is missing or it is different, then the server rejects the request (Reference).

I have recently worked on some anti-forgery related errors. These are the error messages I saw in Event Viewer:

The provided anti-forgery token was meant for a different claims-based user than the current user.
The provided anti-forgery token was meant for user “”, but the current user is “X”.
The anti-forgery cookie token and form field token do not match.
The required anti-forgery cookie “__RequestVerificationToken” is not present.

Advanced Logging is not working – Enable Advanced Logging per site

Advanced Logging is an additional IIS feature that helps administrators customizing web server logs. IIS 7, 7.5, and 8 used this feature as a detailed and customized logging option. With IIS 8.5, Enhanced Logging which is a built-in feature in IIS was introduced.

In this post, I will explain a solution for the scenario where Advanced Logging is not recording any logs. I will also provide a trick to enable it per websites.

How to turn off SameSite cookie attribute?

Developers use SameSite cookie attribute to prevent CSRF (Cross-site Request Forgery) attacks. This attribute instructs browsers not to send cookies along with cross-site requests (Reference).

I needed to turn of SameSite cookie attribute for Safari as part of a fix to the issue mentioned here. A simple solution is below.

How to use Azure file share in IIS Shared Configuration?

IIS Shared Configuration allows system administrators to use multiple IIS servers sharing the same configuration file. If you want to keep this configuration file in an Azure file share, there is a specific procedure you need to follow. Step-by-step procedure is in the Solution section below.

You can also try to use “Map network drive” feature in Windows File Explorer or the New-PSDrive command below. In my case, neither of these options provided a permanent solution.

The timeout period elapsed prior to obtaining a connection from the pool

“Timeout expired” errors may be result of a wide range of issues such as network delays, application hangs, database locks. I have recently worked on an issue that was the result of ADO.NET database pool exhaustion.

The entire error message we captured in the DebugDiag dump file:

Exception Details
System.InvalidOperationException
Timeout expired. The timeout period elapsed prior to obtaining a connection from the pool. This may have occurred because all pooled connections were in use and max pool size was reached.
System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(System.Data.Common.DbConnection

Event ID 4625: An account failed to log on

You may see “An account failed to log on” in Event Viewer with ID 4625 if there are failed attempts to your IIS server from a user or service.

In my case, this was a server in the Exchange environment. The error message we saw in the Event Viewer is below. It was being logged after half an hour.

High CPU usage in IIS around 4am everyday

I have recently worked with a server that was struggling with high CPU usage only at a certain time of the day: 4am. It sounds odd first but it made sense later. I will discuss the scenario and possible solutions in this post.

Attempt to load Oracle client libraries threw BadImageFormatException

I came across “System.BadImageFormatException” error while trying to migrate an application from Windows Server 2008 R2 to Windows Server 2012 R2. I will list possible root cause and solution for this issue in this post.

Error message:

Attempt to load Oracle client libraries threw BadImageFormatException. This problem will occur when running in 64 bit mode with the 32 bit Oracle client components installed.

How to upload files by using ASP.NET Core

Many web applications require users to upload files. Whether it’s a photo, document or any other type of file, your application should be able to read it from the client computer and store it in the server.

I have recently worked on a case where the developer were trying to use the functions below to get the full path of the file:

string filePath = Path.Combine(Request.Form["file"].ToString());
string filePath = System.IO.Path.GetFullPath(Request.Form["file"].ToString());

These functions won’t return the full path if “Include local directory path when uploading files to a server” setting is disabled in Internet Explorer.