-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
correct way to implement Post/Redirect/Get (PRG) : AntiForgery tokens are not supposed to be cached, #7590
Comments
@Tratcher please respond |
No, that's a browser feature. Navigating backwards works terribly for some HTTP features like form submission (POST request), so those messages are the browser being helpful and saying "You don't want to re-submit this form, it might cause nasty side-effects like double billing your credit card". It is being triggered by the anti-forgery system because that is also a mechanic for protecting your form posts, though for some other scenarios. Moral of the story: don't rely on the back button when there are POSTs involved, it's not safe. Provide ample navigation options on your page instead. |
@Tratcher Is this the right doc to put that information (Navigating backwards works terribly for some HTTP features like form submission )? |
@Tratcher Is there a proper way to use the new Antiforgery system and not get this browser error? For example, in MVC5 there isn't this problem using the Antiforgery tokens. Or even the ASP.NET website's login form (https://login.asp.net/account/login), which appears to use Antiforgery tokens. If you try to login with an invalid password (which I assume triggers server-side validation), go to another page, and then click the browser back button to return to the login form, the page shows correctly -- no browser error and the Antiforgery token still intact. But using ASP.NET Core 2.1, it seems any page that uses the Antiforgery system and returns
The browser error is more than a simple popup, asking if "you're sure you want to resubmit a form". This error message takes up the full browser window and makes it look like the web app is at fault to a user. I think it may have to do with the Antiforgery tokens being set to |
This is a not a language specific issue. This is a browser behavior. To say this was 'not an issue with ASP.NET MVC 5' is incorrect. Solutions: An implementation of this for ASP.NET Core, using There is no easy way to implement PRG in ASP.NET Core, and I think this needs to be a quality of life improvement. |
@EntityAdam Thanks for the response, but the issue isn't with Model State and the "Confirm Form Resubmission" popup. It's a different browser error, that appears to be caused by a change in how Your solution to change the return I encourage you to try the steps to reproduce in both MVC5 and ASP.NET Core 2.1. You'll notice it's a new browser error (separate from the "Confirm Form Resubmission" popup) that now occurs in Core 2.1, which was not present in MVC5. |
Update: After receiving further feedback on StackOverflow about the issue (thanks Chris Pratt), I was told that the AntiForgery tokens are not supposed to be cached, and the browser error is what I should be seeing. The PRG pattern posted by @EntityAdam is the correct solution. Sorry again for questioning your answer. I would like to second @EntityAdam 's suggestion of adding some documentation on the correct way to implement PRG in ASP.NET Core. |
Hi Steve Smith, Fiyaz Hasan, and Rick Anderson, I found one strange observation. Again, I perform one more post from the same form. It generates one more new token. I am trying to perform CSRF attack by using old token i.e. 'oZCEnRCusmwasddggfgtr1221dssdsdOm_yOf8XfL8k5GSQSMzKnHZuABnJSd9Q_VsdoW_dhberirHEIw7Gyib4XLVx641RYW01'. It is still successfully posting the data on server. If I change the second last character from 0 to 1 i.e. 'oZCEnRCusmwasddggfgtr1221dssdsdOm_yOf8XfL8k5GSQSMzKnHZuABnJSd9Q_VsdoW_dhberirHEIw7Gyib4XLVx641RYW11'. It is still posting the data successfully. |
Thanks for contacting us. |
Hi!
After a form post fails server-side validation, I'm getting the following browser error message when I go to a different page and then use the browser's back button to return to original page with the form.
Error message in Firefox:
Error message in Chrome:
It appears to be caused by the Antiforgery system. When not using Antiforgery tokens, the browser error goes away.
Steps to reproduce:
Using the Razor pages tutorial project as an example (https://github.com/aspnet/Docs/tree/master/aspnetcore/tutorials/razor-pages/razor-pages-start/sample).
/Pages/Movies/Create.cshtml
file -- to force server-side validation.The problem seems to be caused by
return Page();
in the Post action, when it's being used with an AntiForgery token in the form:I see this note in the Response Caching docs (https://docs.microsoft.com/en-us/aspnet/core/performance/caching/middleware?view=aspnetcore-2.1),
Assuming this is the problem, is there a solution to stop these browser error messages from occurring?
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: