antiforgerytoken

I just did a quick test with a simple ASP.NET MVC 3 sample by modifying default LogOn form. According to this article , both hidden field __RequestVerificationToken and cookies __RequestVerificationToken_Lw__ must contain same value that generated by Html.AntiForgeryToken() . But it isn't exactly same when I got them in Fiddle, by the way, looking at MVC 3 source code, method GetAntiForgeryTokenAndSetCookie seemed not use salt value for generating the cookies. Was there any change in MVC 3? Forgot to say that I could still log on successfully with both normal or Ajax POST request. Here is raw

Using ASP.Net MVC v2.0, I am starting to research the use of the Html.AntiForgeryToken() method when submitting forms that process data. I can see it sets a hidden value in the form HTML and it sets the same value in a session cookie. The question is will different web servers in a load balanced configuration create the same token in the HTML forms? It seems if they don't then the cookie and hidden form value wouldn't match and we would have a problem. Before I get into actually testing this in a LB configuration, wanted to check if anyone already has experience with this? Thanks, Paul Levi If

we have a specific issue with the anti forgery token on the login page. If the user logs in with only one active window everything works great however if the user opens the login page in two different windows and logs in from window A (no issues will login), and the goes back to login from window B in this window the user will receive "A required anti-forgery token was not supplied or was invalid". Is there any way around this other then to remove the anti forgery token from the view/controller action? We would prefer to have the token for additional security! This is very similar to this

i have the following ajax.actionlink which calls a Delete action method for deleting an object:- @if (!item.IsAlreadyAssigned(item.LabTestID)) { string i = "Are You sure You want to delete (" + @item.Description.ToString() + ") ?"; @Ajax.ActionLink("Delete", "Delete", "LabTest", new { id = item.LabTestID }, new AjaxOptions { Confirm = i, HttpMethod = "Post", OnSuccess = "deletionconfirmation", OnFailure = "deletionerror" }) } but is there a way to include @Html.AntiForgeryToken() with the Ajax.actionlink deletion call to make sure that no attacker can send a false deletion request? BR You need

I have been facing serious problem with @Html.AntiForgeryToken() . I have a register controller which had a create view to create/register new members. For that reason I used a @Html.AntiForgeryToken() without using any SALT in my main submit form. Now I would like to validate user name if it is already exist on the database on the blur event of my user name textbox. For this validation I wrote a new controller named 'Validation' and wrote a method with a constant validation SALT: [HttpPost] [ValidateAntiForgeryToken(Salt = @ApplicationEnvironment.SALT)] public ActionResult username(string log

Case: I have an MVC5 application (basically the MVC5 template with a scaffolded view) with the Google authentication method enabled. The application has been configured to accept email as user name and to store the claims assigned from Google like Surname, givenname, email, nameidentifier, etc, to the membership database (AspNetUserClaims). When I register and log in with a "local" user everything is fine. If I log in with a Google user its fine. If I log in with an account set up to have both a local and external login I get the error below. I have tried changing the type for the token to

I've recently put Live a web application which was built using MVC 4 and Entity Framework 5 . The MVC application uses Razor Views . I noticed using Elmah that when users are logging into the application, sometimes they are getting the following error The provided anti-forgery token was meant for user "" but the current user is "user" I've done a bit of research already on how to fix this issue, but nothing seems to work for me. Please see my Login View and corresponding Controller Actions below. Razor View @if (!HttpContext.Current.User.Identity.IsAuthenticated) { using (Html.BeginForm()) {

Is @Html.AntiForgeryToken() still required in ASP.NET .NET4.6 vNext? The form decorations have changed to <form asp-controller="Account" asp-action="Login" asp-route-returnurl="@ViewBag.ReturnUrl" method="post" class="form-horizontal" role="form"> From this @using (Html.BeginForm("Login", "Account", new { ReturnUrl = ViewBag.ReturnUrl }, FormMethod.Post, new { @class = "", role = "form" })) And no longer include this @Html.AntiForgeryToken() The Controller Actions are still marked with the ValidateAntiForgeryToken attribute as expected though so where exactly is it coming from? Automagically?