ASP.NET Core 2.1: Navigating back to a page after an HTTP POST fails validation displays a browser error

Question

Problem:

Using an ASP.NET Core 2.1 MVC project, I'm receiving the following browser error message after using the browser back button to return to a form, where the form POST failed server-side validation:

Error message in Firefox:

Document Expired

This document is no longer available.

The requested document is not available in Firefox’s cache.

• As a security precaution, Firefox does not automatically re-request sensitive documents.
• Click Try Again to re-request the document from the website.

Error message in Chrome:

Confirm Form Resubmission

This webpage requires data that you entered earlier in order to be properly displayed. You can send this data again, but by doing so you will repeat any action this page previously performed.

Press the reload button to resubmit the data needed to load the page.

ERR_CACHE_MISS

Steps to reproduce:

1. Submit an HTML form post, where server-side validation fails
2. navigating to a different URL
3. click the browser back button to return to the page with the form

Notes:

It appears to be related to Response caching (https://docs.microsoft.com/en-us/aspnet/core/performance/caching/middleware?view=aspnetcore-2.1) being disabled for the Antiforgery system.

The Antiforgery system for generating secure tokens to prevent Cross-Site Request Forgery (CSRF) attacks sets the Cache-Control and Pragma headers to no-cache so that responses aren't cached. For information on how to disable antiforgery tokens for HTML form elements, see ASP.NET Core antiforgery configuration.

Which I can confirm, if you remove @Html.AntiForgeryToken() from being included in the HTML form, the browser error message goes away.

This was not an issue in ASP.NET MVC5 using the AntiForgeryToken.

Question:

In ASP.NET Core 2.1, has anyone found a way to continue to use the Antiforgery system and prevent this browser error message from being displayed when the browser back button is used?

Here's my POST action:

    [HttpPost]
    [ValidateAntiForgeryToken]
    [ActionName("Contact-Form")]
    public async Task<ActionResult> ContactForm(ContactFormViewModel cfvm)
    {
        if (ModelState.IsValid)
        {
            // << Handling of the form submit code here >>

            TempData["Success"] = string.Format("Your contact request was submitted successfully!");

            return RedirectToAction("Contact-Form-Success");
        }

        TempData["Error"] = "The form did not submit successfully. Please verify that all of the required fields are filled.";
        return View();
    }

Update:

I posted the question on the ASP.NET Core Docs: https://github.com/aspnet/Docs/issues/7590

Answer 1

This is a not a language specific issue. This is a browser behavior. To say this was 'not an issue with ASP.NET MVC 5' is incorrect.

Solutions: A common method of solving this is the PRG pattern which has been around since 1995.

An implementation of this for ASP.NET Core, using TempData can be found here

And I think that this link would be most helpful for you, since it demonstrates a method implemented in both MVC 5 and MVC 6.

I hope this helps!

I will try and update this post soon with a sample based on a razor-page starter project, time permitting.