SharePoint March 2013 Public Update, Invalid FormDigest, Client.SVC ProcessQuery 403 Forbidden

Recently I came across interesting error ” _vti_bin/client.svc/ProcessQuery 403 Forbidden” while making CSOM API call during on load of SharePoint 2013 publishing page article in edit mode. Our logic was simple – make CSOM API calls whenever Publishing Page is in Edit mode during on load of the article. As we started narrowing down the issue, we noticed the pattern – If you edit the page which was in publish mode but not checked out, page errors out in edit mode.  If you edit the page which was checked out, it works correctly.

403 Forbiden Error

Based on the error, it was quite noticeable that this must be related to FormDigest Control. Those of you not aware, FormDigest control keeps security validation token for CSOM API calls. SharePoint validates client user requests using FormDigest control and making all the client side CSOM or REST API calls requires valid FormDigest value to ensure requests came from same client.

Since we were using Custom Master Page, my first solution was to ensure FormDigest control exists in our master page. All the Out of box SharePoint master pages adds FormDigest control automatically but I wanted to make sure FormDigest control exists in our custom master page. Upon checking master page, FormDigest control was indeed added through our custom master page.

<SharePoint:FormDigest runat="server"/>

At this stage, I knew I am in unknown territory and it would be much harder to trace down the real problem. Since FormDigest control was already available in our Custom master page, my initial instinct was to look at FormDigest value in Publish and Check Out mode. Since page edit worked fine if page is already checked out and didn’t work if page was in publish mode, I wanted to see if FormDigest control was invalid in publish mode causing CSOM API errors. Upon looking at page source, indeed, that was the case. We had invalid FormDigest value in publish mode and valid FormDigest value in page checked out mode.

Article in Publish Mode, Invalid FormDigest Token =>

FormDigest in Publish Mode

Article in Check out or Edit Mode, Valid FormDigest Token =>

FormDigest in Checkout Mode

Apparently, it seems like this problem has been introduced in March 2013 PU for both SharePoint 2010 and SharePoint 2013.  According to this MSDN forum, March PU introduced the logic of invalidating FormDigest control on publishing pages in Publish mode. FormDigest works fine in Edit or Page Check out mode with valid security token but invalidates in Publish mode. That’s the reason when we edited our news articles from publish mode (without checking out) thrown CSOM API forbidden errors.

To ensure, this issue is not introduced in our custom publishing page layouts, we have also verified that OOB Publishing pages have similar issues with invalid FormDigest security token (http://intranet.niks.local/news/pages/default.aspx) but wiki pages worked fine with valid security token (http://intranet.niks.local/sites/cthub/SitePages/Home.aspx). Additionally, we have verified that our Custom Publishing Page Layouts worked fine in RTM with valid FormDigest token in both Publish and Checked out mode.

Resolution => Upgrade to June 2013 CU or August 2013 CU => As MSDN forum suggests, this issue seems to have been introduced into the product in the March 2013 CU for both SharePoint 2010 and SharePoint 2013. People have reported that June 2013 CU has fixed this issue for both SharePoint 2013 and SharePoint 2010. To validate these reports, we have upgraded our environment to August 2013 CU (latest stable release) and I am happy to announce that it has fixed FormDigest invalidity issues. I was able to edit our news articles from both publishing or checked out mode without any 403 Forbidden errors.


This entry was posted in Uncategorized. Bookmark the permalink.

2 Responses to SharePoint March 2013 Public Update, Invalid FormDigest, Client.SVC ProcessQuery 403 Forbidden

  1. Steven Ng says:

    Hi Nik,
    I’m running into this issue trying to create a new item in a list with SP REST API. Do you think the Aug CU will help?

    • Nik Patel says:

      Yes, that;s possible if you have similar symptoms.. Please test in DEV or Staging environment before applying any changes to PROD. In addition, do perform the regression testing to see if other features are working fine…

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s