Menu
I am trying to avoid "AntiForgery" checking as it always fails when hosted from the 3rd party server. I am using ASP.NET Core 2.0 MVC application.
I added this option in the ConfigureServices function:
services
.AddMvc()
.AddRazorPagesOptions( options =>
{
options.Conventions.AuthorizeFolder("/Account/Manage");
options.Conventions.AuthorizePage("/Account/Logout");
options.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
} );
But still I am getting this exception.
System.InvalidOperationException: The antiforgery token could not be decrypted.
System.Security.Cryptography.CryptographicException: The key {6fb328e7-4808-4b5d-b7dc-870d126e5ca4} was not found in the key ring.
Am I missing anything ?
508
If the attacker forges a login page and gets the credentials that way, what's the point of using the token to protect the real login page? The attacker would be able to login anyway using the userand password that he got. This answer is dangerously wrong. The tokens ARE necessary.
Require antiforgery validation The ValidateAntiForgeryToken attribute requires a token for requests to the action methods it marks, including HTTP GET requests. If the ValidateAntiForgeryToken attribute is applied across the app's controllers, it can be overridden with the IgnoreAntiforgeryToken attribute.
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens. The client requests an HTML page that contains a form. The server includes two tokens in the response. One token is sent as a cookie.
Add the IgnoreAntiforgeryToken attribute (Order must > 1000) to the razor page model:
For example:
namespace CWACpch.Pages
{
[IgnoreAntiforgeryToken(Order = 2000)]
public class CreateOrderModel : PageModel
{
Been looking around for how to disable the cookie, setting the Order does not seem to help for me, and trying to set it to all pages via below also did not work for me.
options.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
I eventually found article below which helps per deleting the cookie locally, at least. Add the line below in the Startup.cs Disable .AspNetCore.Antiforgery Cookie
services.AddAntiforgery(options => { options.Cookie.Expiration = TimeSpan.Zero;});
As per my understanding you don't have to disable any thing. By default if you use asp net tag helper to create form element it will put anti forgery token
It is upto you to validate anti forgery token by the use [ValidateAntiforgeryToken] annotation in action method or globally define configuration to ValidateAntiforgeryToken which will make system to try validate anti forgery token
If you have not configured system as mentioned about the system won't validate anti forgery token and won't be problem for your situation
22
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
