Sitecore 6.6: CSRF form field is missing

In the latest version of Sitecore 6.6 (release 13.04.04) I sometimes get this error:

Exception: Sitecore.Security.AntiCsrf.Exceptions.PotentialCsrfException
Message: CSRF form field is missing.
Source: Sitecore.Security.AntiCsrf
at Sitecore.Security.AntiCsrf.SitecoreAntiCsrfModule.RaiseError(Exception ex, HttpContext context)
at Sitecore.Security.AntiCsrf.SitecoreAntiCsrfModule.PreRequestHandlerExecute(Object sender, EventArgs e)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

The issue seemes to be related to an implementation of AntiCSRF, a Microsoft Public License library that prevents Cross Site Request Forgery.


The fix is easy. Clear your cookies, clear the browser cache, close the browser and try again.


The clever guys at Sitecore Support have come up with this (untested) quick fix that you can try:

Please add these lines to the Sitecore.AntiCsrf.config file (website/app_config/include/Sitecore.AntiCsrf.config):

<ignore wildcard="/sitecore/shell/*Applications/Security/User*Manager*?*Cart_Users_Callback=yes"/>
<ignore wildcard="/sitecore/shell/*Applications/Security/Role*Manager*?*Cart_Roles_Callback=yes"/>
<ignore wildcard="/sitecore/shell/*Applications/Security/Domain*Manager*?*Cart_Domains_Callback=yes"/>
<ignore wildcard="/sitecore/shell/~/xaml/Sitecore.Shell.Applications.Security.SelectAccount*Cart_*_Roles_Callback=yes"/>
<ignore wildcard="/sitecore/shell/~/xaml/Sitecore.Shell.Applications.Security.SelectAccount*Cart_*_Users_Callback=yes"/>


The tough guy could choose to disable AntiCSRF completely. Add the following line in the /App_Config/Include/Sitecore.AntiCSRF.config file:

<?xml version="1.0"?>
        <rule name="shell">
          <!-- Ingore AntiCSRF completely -->
          <ignore wildcard="/sitecore/*"/>

About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.
This entry was posted in Sitecore 6 and tagged , , , . Bookmark the permalink.

10 Responses to Sitecore 6.6: CSRF form field is missing

  1. Tried both fixes (actually, the config changes were already there for me) and neither resolved the issue unfortunately.

  2. Pingback: A potentially dangerous Request.QueryString value was detected from the client | Brian Pedersen's Sitecore and .NET Blog

  3. Jordan says:

    None of these fixes worked for us either. Just logged a ticket with Support. Anyone else have any ideas?

  4. Karthik Babu says:

    I also faced the same issue, Here is the response from Sitecore support:
    The reason of the issue in your ‘Sitecore.AntiCsrf.config’ file. Please comment out the ‘WFFM’ rule node and move the following ignore rules to the ‘shell’ rule node in the ‘Sitecore.AntiCsrf.config’ file:




    Hope this will work.


  5. I’ve just ran into this same issue in Sitecore 7.1. The error occurs when I’m expanding nodes in the presentation details, trying to view renderings or sublayouts. The CSRF config does not prevent the error.

    Anyone get a resolution to this?


  6. Jason St-Cyr says:

    Dan, I just ran into the exact same issue as you with Sitecore 7.1. I just resolved it, and it was a missing line in the CSRF config file. I found a missing line that exists in Sitecore 6.6 Update 7, but is not in the version of Sitecore 7.1 that I was using where it indicates to have TreeViewEx ignored.

    I created the following configuration file, added it to the Include folder, and it resolved the problem:

  7. Jason St-Cyr says:

    Gah… it stripped it out. Here’s another attempt with encoded tags:
    <configuration xmlns:patch=””>
    <rule name=”shell”>
    <ignore patch:before=”ignore[@contains=’InstantSearch’]” contains=”TreeviewEx” />

  8. Yogesh says:

    I was also getting same error but after commeting “” setting into web.config file it is working perfect for me.

  9. Yogesh says:

    Hello briancaos, I am getting same error again but now the setting I posted here I forget. Also setting is not showing here as well. I am sure that time I copied setting there but don’t know why it’s not showing right now. Can you please help me to get this setting again.

  10. Yogesh says:

    Thanks briancaos, Finally I got that setting “”.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.