Menu
In a web page we provide a hyperlink (GET) that the User may click on to authenticate:
@Html.ActionLink("Please Login", "MyMethod", "MyController")
This maps to the following controller method which returns a View:
[RequireHttps]
public ActionResult MyMethod()
{
return this.View(new MyModel());
}
This View contains the Form in which the User supplies their credentials; the Form contains the required AntiForgeryToken.
When the User submits the form, the following Controller method is called:
[HttpPost]
[RequireHttps]
[ValidateAntiForgeryToken]
public ActionResult MyMethod(MyModel model)
{
// my logic
}
This works perfectly well, most of the time...
However, if the User leaves their browser open for a "significant" period of time and then performs the following steps in quick succession:
They get an exception informing them that the Anti-Forgery token was either not provided or was invalid.
I don't understand why this is the case: the View (containing the form) is created after the browser was dormant and so the anti-forgery tokens should all be "fresh". However, something is evidently wrong with this design, but I'm not sure how best to rectify it.
Thanks in advance if you have any suggestions.
Griff
468
This cookie is used to store the antiforgery token value in the client side, so clients can read it and sends the value as the HTTP header. Default cookie name is XSRF-TOKEN , expiration time is 10 years (yes, ten years!
The ValidateAntiForgeryToken attribute requires a token for requests to the action methods it marks, including HTTP GET requests.
June 09, 2020. AntiForgeryToken is a security token generated by the . Net Core web application, which is used to validate a post request to guard against Cross-Site Request.
I'm dealing with this same problem and while I understand the issue, I'm not sure yet of the best resolution.
The Anti-ForgeryToken process places an input value in the form with a second value stored in a cookie RequestVerificationToken. Both of these are submitted to the server and if they don't match the error is thrown.
The RequestVerficationToken cookie has an expiration value set to be Session. So when the user leaves the browser open on the page for a long time and then submits, the cookie's time stamp is compared to the session timeout value on the server — a default of 20 minutes or so — and having been exceeded, it is removed and thus token validation fails.
Possible solutions, all of which have potential issues;
198
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
