Anti forgery token on login page

I have implemented antiforgery token on my login page.

Now I had one user pressing back key on the keyboard, and when they click on login button again after filling their credentials, they get error page.

Is there some better way of handeling this case like redirect them to fresh login page?

Page that is login page is :/account/logon

If login details are sucessfull the user is redirected to :Home/Index page on which the user pressed button back.

Answers


Don't implement the ASP.NET AntiForgeryToken on your login page. The token is based on a username among other criteria and a login page assume the attacker already has credentials to a system in order to be able to exploit csrf on that page.

However, you should use some form of CSRF protection on your login page - see https://security.stackexchange.com/a/2126/51772


I've written up a full solution here: https://richardcooke.info/en/2014/keep-users-signed-in-after-asp-net-deploy/

Here's the necessary code to call in your controller form your GET method:

private void SetANewRequestVerificationTokenManuallyInCookieAndOnTheForm()
{
    if (Response == null)
        return;

    string cookieToken, formToken;
    AntiForgery.GetTokens(null, out cookieToken, out formToken); 
    SetCookie("__RequestVerificationToken", cookieToken);
    ViewBag.FormToken = formToken;
}

private void SetCookie(string name, string value)
{
   if (Response.Cookies.AllKeys.Contains(name))
       Response.Cookies[name].Value = value;
   else
       Response.Cookies.Add(new HttpCookie(name, value));
}

and code to put in your view in place of Html.AntiForgeryToken():

@if (ViewBag.FormToken != null)
{
    <text><input name="__RequestVerificationToken" type="hidden" value="@ViewBag.FormToken" /></text>
}
else
{
    <text>@Html.AntiForgeryToken()</text>
}

My solution to this was:

Reload a page if it hits login page again. this will ensure fresh loading of antiforgery token

and all is done


Need Your Help

JavaFX FileChooser: how to set file filters?

java user-interface javafx-2 filechooser

I want to set file filters in a JavaFX FileChooser but I could not find a way to do it.

Android: Change Background Color of Fragment

android layout background fragment

I tried changing the background color of a fragment, but a small problem occurred.