I have an MVC view that is supposed to be iFramed. And several instances of it might be iFramed in the same host page. In my view I have this:
@Html.AntiForgeryToken()
Which I use to try to make sure calls to a web api are only coming from this page. My host page might look something like this:
<iframe src="http://myserver.com/myview?someparameters=0000"></iframe>
<iframe src="http://myserver.com/myview?someparameters=0001"></iframe>
<iframe src="http://myserver.com/myview?someparameters=0002"></iframe>
In my view I grab the token and submit it in a header so that I can check it in my API:
var headers = actionContext.Request.Headers;
var headerToken = headers.Contains("__RequestVerificationToken") ? headers.GetValues("__RequestVerificationToken").FirstOrDefault() : null;
var cookie = headers.GetCookies("__RequestVerificationToken").FirstOrDefault()?["__RequestVerificationToken"]?.Value;
AntiForgery.Validate(cookie,headerToken);
The problem I'm running into is that in my host page, all three views are getting loaded in parallel. As a result they all get their own random token in a hidden field and try to set the cookie. But while there can be three separate independent hidden input tokens, there can be only one cookie. So of the three requests, two will fail and one will succeed. A reload of the page will have all three working again, presumably because they are all getting the same anti-forgery token at this point (because it belongs to the session - if I understand this correctly).
So how can I avoid this? How can I make sure they all get the same token?
To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.
To use it, decorate the action method or controller with the ValidateAntiForgeryToken attribute and place a call to @Html. AntiForgeryToken() in the forms posting to the method.
The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
Sets the antiforgery token expiration time to ~1 year.
try using partialview. in each partial view you can use your iFrames and all partail views will be added to main .cshtml file having Html.AntiForgeryToken()
@Html.AntiForgeryToken()
<div>
@{Html.RenderPartial("_iFrame1");}
</ div>
<div>
@{Html.RenderPartial("_iFrame2");}
</ div>
<div>
<div>
@{Html.RenderPartial("_iFrame3");}
</ div>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With