locked
IS ASP.NET Identity cookie cached ? RRS feed

  • Question

  • User-585144208 posted

    Hi

    For some uses of my asp.net mvc application, it seems that they have shared or same authentication cookie. I thought that ISP`s might cache popular urls, cause this problem only happens when user goes to a specific action of my mvc app, and there he/she sees data from another user. 

    So, is it the cache which causes the problem ? If so, how can I change asp.net identity to prevent cache. 

    Monday, April 9, 2018 6:29 AM

All replies

  • User516094431 posted

    As per you description and need, you can prevent caching force fully. 

    With Ajax:

    $.ajax({
        cache: false
        //rest of your ajax setup
    });

    Prevent caching in MVC:

    [AttributeUsage(AttributeTargets.Class | AttributeTargets.Method)]
    public sealed class NoCacheAttribute : ActionFilterAttribute
    {
        public override void OnResultExecuting(ResultExecutingContext filterContext)
        {
            filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
            filterContext.HttpContext.Response.Cache.SetValidUntilExpires(false);
            filterContext.HttpContext.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
            filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
            filterContext.HttpContext.Response.Cache.SetNoStore();
    
            base.OnResultExecuting(filterContext);
        }
    }

    Decorate your controller:

    [NoCache]
    public class ControllerBase : Controller, IControllerBase

    For reference and more detail:

    https://stackoverflow.com/questions/10011780/prevent-caching-in-asp-net-mvc-for-specific-actions-using-an-attribute/25144198

    Monday, April 9, 2018 7:42 AM
  • User-585144208 posted

    Thanks @mshoaiblibra

    Actually I already familiar with "NoCache" attribute, but interesting point is that I only have that problem only on one action, and for others it does not happen at all. 

    Monday, April 9, 2018 8:51 AM
  • User283571144 posted

    Hi b.dev,

    b.dev

    cause this problem only happens when user goes to a specific action of my mvc app, and there he/she sees data from another user. 

    As far as I know, the cookie will not be cached.

    The cookie is stored in the client browser.

    More details about how cookie worked in asp.net, you could refer to below article.

    https://msdn.microsoft.com/en-us/library/ms178194(v=vs.100).aspx 

    So your user will not use this cookie to access other user's data.

    I suggest you could check your action codes to make sure your sql query is right.

    Best Regards,

    Brando

    Friday, April 13, 2018 7:05 AM
  • User753101303 posted

    Hi,

    What do you see exactly or do you just assume it could be a cookie issue? Might be a server side HTML output caching. It's also quite frequent to see that caused by using mistakenly static data (ie shared by all users) on the server side.

    Friday, April 13, 2018 8:56 AM
  • User-585144208 posted

    I wrote a unit test for the query and it works fine. The weird point it that it worked until recently it started to malfunction for a few users.  

    Saturday, April 14, 2018 3:47 PM
  • User-585144208 posted

    I just assume that it could be cookie issue. I dont use any kind of server side caching for the action. Another point is that for this action, some users also get "Anti-ForgeryToken" exception with this message : "The anti-forgery cookie token and form field token do not match."

    Saturday, April 14, 2018 3:50 PM
  • User475983607 posted

    The web is stateless by default.   You must purposefully write code to shared data.

    I just assume that it could be cookie issue. I dont use any kind of server side caching for the action.

    The auth cookie is created by passing the username.  They only way to have a cookie issue is if your authentication code passes the wrong username.   More than likely you have a static variable, bad data, or a bug.

    Another point is that for this action, some users also get "Anti-ForgeryToken" exception with this message : "The anti-forgery cookie token and form field token do not match."

    This error happens when the machine key is set to auto generate and the application restarts.  The key used to create the anti-forgery changed and the new key cannot be used to decode the token so you get the error.  Set a static key to stop this behavior.  Your host service might restart your app or you have a bug that is causing the app to restart.

    Since the data issue is only happening on one page you should be able to review your code to find the logical error.  Post your code if you need assistance.

    Saturday, April 14, 2018 4:06 PM
  • User-585144208 posted

    Thanks for your reply. 

    For the "Machine-Key" I use none auto generate version and specified a explicit key for that. 

    Saturday, April 14, 2018 4:09 PM
  • User475983607 posted

    Thanks for your reply. 

    For the "Machine-Key" I use none auto generate version and specified a explicit key for that. 

    The error can also happen if the browser does not accept cookies or for some season the token is not posted.  For example, using AJAX.

    Saturday, April 14, 2018 4:15 PM