Null reference exception in AntiForgery code
See original GitHub issueI’m getting logging events of Null Reference Exceptions thrown from this line in my production environment.
This code doesn’t look to have changed in a long time, and while I’m not getting any issues reported by my end users I am logging it happening around 4000 times a day.
Looking at the line I can’t really see any obvious candidates for things that could be null only some of the time, and I’ve been unable to replicate the problem in my local development environment with the debugger attached.
My best guess is that HttpContext.Current.Request must be null, possibly because the user caused the HTTP request to be cancelled at the client side before the AntiForgery code had executed, maybe it’s a side effect of the controller actions being async?
Would some null checks on the current context and request be reasonable here, or is there a better way to access cookies here, or does anyone have any other theories as to the cause?
Many thank Rob
System.NullReferenceException: Object reference not set to an instance of an object.
at Abp.Web.Mvc.Security.AntiForgery.AbpMvcAntiForgeryManager.IsValid(String cookieValue, String tokenValue) in D:\GitHub\aspnetboilerplate\src\Abp.Web.Mvc\Web\Mvc\Security\AntiForgery\AbpMvcAntiForgeryTokenManager.cs:line 57
at Abp.WebApi.Security.AntiForgery.AbpAntiForgeryApiFilter.<ExecuteAuthorizationFilterAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Abp.WebApi.Authorization.AbpApiAuthorizeFilter.<ExecuteAuthorizationFilterAsync>d__7.MoveNext() in D:\GitHub\aspnetboilerplate\src\Abp.Web.Api\WebApi\Authorization\AbpApiAuthorizeFilter.cs:line 70
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Web.Http.Controllers.ExceptionFilterResult.<ExecuteAsync>d__6.MoveNext()```
Issue Analytics
- State:
- Created 2 years ago
- Comments:15 (6 by maintainers)
Top GitHub Comments
Thanks, it’s weird that we’re not hitting that exception, but I guess maybe I will now with the changes in 7.1? Who knows, I’ll test more and report back if it’s still miss behaving.
Ahh, an extension method, I should have thought of that. Thanks for pointing it out.
Looking at the log again, it seems that it’s inside this method where it’s failing, I’m guessing the HttpContext.Current is the null here?
https://github.com/aspnetboilerplate/aspnetboilerplate/blob/059db7626b3642114b7a2ba7d15b6a14304640dd/src/Abp.Web.Mvc/Web/Mvc/Security/AntiForgery/AbpMvcAntiForgeryTokenManager.cs#L58
This trace is specifically from a webapi call, could it be that something somewhere along the line is working at cross purposes? I’ve not puzzled out enough of the flow here to know if there are separate paths for api and mvc calls, or if that could even be an issue here.