Server Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgery

Question

I'm developing an asp.net mvc 5 application in which I was trying to redirect to the ReturnUrl by applying the code below :

[HttpPost]
[AllowAnonymous]
public ActionResult Login(UserLogin model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        string EncryptedPassword = GetMD5(model.Password);
        if (DataAccess.DAL.UserIsValid(model.Username, EncryptedPassword))
        {
            FormsAuthentication.SetAuthCookie(model.Username, true);
            if (String.IsNullOrEmpty(returnUrl))
            {
                return RedirectToAction("Index", "Home");
            }
            else
            {
                Response.Redirect(returnUrl);
            }
        }
        else
        {
            ModelState.AddModelError("", "Invalid Username or Password");
        }
    }
    return View();
}

The above code is working fine, But the problem is that when I Post the login form, it gives me an Exception that I've never faced Before and I'm having difficulties resolving the exception that is generating in the view in Login.cshtml, At Line :

@Html.AntiForgeryToken()

And the Exception That it throws:

Server cannot append header after HTTP headers have been sent.

I've researched a lot but I'm unable to get to the conclusion. My application works fine when I remove @Html.AntiForgeryToken() line, But I don't want to do this, I want my application to remain cross-site request protected.

Can Anyone Please Help me out, How do I get rid of this Exception?

Answer 1

When Response.Redirect(anyUrl) the status code is set to 302, and the header will added to the response :

HTTP 1.0 302 Object Moved 
Location: http://anyurl.com

And when ViewResult is executed and razor render the view the Html.AntiForgeryToken() will called, so the helper tries to add the header X-Frame-Options and some cookies to the response, it is the cause of the exception.

But don't worry you can suppress the addition of X-Frame-Options header, just put this AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in the Application_start.

But I suggest you to change this:

Response.Redirect(returnUrl);

to

return Redirect(returnUrl);

Note

Since .NET code was opened you can see how the AntiForgeryToken works, see here AntiForgeryWorker.

Answer 2

I was getting same error with Response.Redirect(returnUrl). After changing to Response.Redirect(returnUrl, false) fixed the issue.