tags:

views:

39

answers:

2
+3  Q: 

MVC ValidateAntiForgeryToken multi-tabs problem

Hello,

We'd been getting "A required anti-forgery token was not supplied or was invalid." errors, and on some further investigation, I've managed to recreate the problem in its simplest form - i'm either doing something completely wrong, or this is a limitation of the anti-forgery token system.

Either way, I'd appreciate some advice!

Empty MVC 2 project: one view page, one controller

view:

<%--Sign in form:--%>
<% using(Html.BeginForm("SignIn", "Home", FormMethod.Post)) {%>
    <%= Html.AntiForgeryToken()%>
    <input type="submit" value="Sign in" />
<%}%>

Controller:

public ActionResult Index()
{
    ViewData["status"] = "Index";
    return View();
}

[ValidateAntiForgeryToken]
public ActionResult SignIn()
{
    ViewData["status"] = "Signed In!";
    FormsAuthentication.SetAuthCookie("username", false);
    return View("Index");
}

[EDIT: simplified code example]

In order to recreate the exception, open two non-signed-in tabs - sign-in on the first tab, and then sign-in on the second tab.

The second tab will always throw an anti-forgery exception, when I guess correct behaviour would be to redirect to the signed-in page (sharing the session/authentication of the original signed-in tab)

Any advice would be appreciated!

Cheers, Dave

A: 

You could use the same salt:

<% using(Html.BeginForm("SignIn", "Home", FormMethod.Post)) {%>
    <%= Html.AntiForgeryToken("123")%>
    <input type="submit" value="Sign in" />
<%}%>

<% using(Html.BeginForm("Protected", "Home", FormMethod.Post)) {%>
    <%= Html.AntiForgeryToken("456")%>
    <input type="submit" value="Do secret stuff" />
<%}%>

And in your controller:

[ValidateAntiForgeryToken(Salt = "123")]
public ActionResult SignIn()
{
    ViewData["status"] = "Signed In!";
    FormsAuthentication.SetAuthCookie("username", false);
    return View("Index");
}

[Authorize]
[ValidateAntiForgeryToken(Salt = "456")]
public ActionResult Protected()
{
    ViewData["status"] = "Authed";
    return View("Index");
}

Do the same with the other token but make sure to pick a different salt.

Darin Dimitrov  2010-10-27 09:25:40
Thanks for the reply - but that doesn't solve the problem, cheers, Dave.
Dave  2010-10-27 09:29:06
It solved it for me. Make sure you use the same salt in the controller and the view for the signin form and action and a different salt for the protected action and view. Also don't forget to recompile and close the browser window to clear any stale cookies.
Darin Dimitrov  2010-10-27 09:30:52
Make sure you close your browser to start a new session - You actually don't need the 2nd form/controller action at all in order to recreate this issue.
Dave  2010-10-27 09:32:59
In your original question you talked about different browser tabs. If I close the browser and start a new there's no problem at all.
Darin Dimitrov  2010-10-27 09:35:04
No - I mean, open a fresh browser - then open two tabs.Sign-in on tab 1, then tab 2 will always fail with the exception.
Dave  2010-10-27 09:36:53
Yes, that's exactly what I did. Adding the salt solved the problem.
Darin Dimitrov  2010-10-27 09:37:45
This def' doesn't work. I'm happy to send you the code, if you want (thanks for your help)! :)
Dave  2010-10-27 09:45:13
OK, I see. Try redirecting in the POST action instead of returning a view: `return RedirectToAction("Index")`.
Darin Dimitrov  2010-10-27 09:58:55
Nope, no good :(
Dave  2010-10-27 13:31:29
+2  A: 

Looking at the MVC 2 source code it looks like the AntiForgeryToken hidden field includes the User.Identity.Name serialized, if your signed in. In line 69 of the ValidateAntiForgeryTokenAttribute it seems to then check your token with the current User.Identity.Name.

    string currentUsername = AntiForgeryData.GetUsername(filterContext.HttpContext.User);
    if (!String.Equals(formToken.Username, currentUsername, StringComparison.OrdinalIgnoreCase)) {
        // error: form token is not valid for this user
        // (don't care about cookie token)
        throw CreateValidationException();
    }

Because in your other tab you are now signed in the code above invalidates the existing token which doesn't contain the User.Identity.Name.

This could be fixed by adding a !string.IsNullOrEmpty(formToken.Username) around that check but I don't know if that will open up security issues plus it means having a custom MVC 2 Build.

Naz  2010-10-27 09:41:03

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps