Menu
I don't use session, so I removed it together with all HTTP modules I don't need.
I sometimes get this error: System.Web.Mvc.HttpAntiForgeryException: The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.
Or this one: System.Web.Mvc.HttpAntiForgeryException: The provided anti-forgery token was meant for a different claims-based user than the current user.
When I enable session, it works.
So the question is: does the csrf stuff depend on session state?
582
Anti-Forgery TokensThe server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
If the attacker forges a login page and gets the credentials that way, what's the point of using the token to protect the real login page? The attacker would be able to login anyway using the userand password that he got. This answer is dangerously wrong. The tokens ARE necessary.
ASP.NET session is not required for anti-forgery tokens to work. The token is stored in a hidden form field and in a cookie, separate from a cookie session (you may find details here). Additionally, when anti-forgery token is invalid, an exception is thrown so it does not look like the problem you have is connected with anti-forgery tokens. Maybe record a Fiddler session, attach it to a new SO question and we should be able to better guide you.
133
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
