locked
Got "Validation of Anti-XSRF token failed" exception RRS feed

  • Question

  • User-609535877 posted

    When our tester tested my intranet asp.net web forms application with default Individual User Account authentication in Visual Studio 2015.

    Once logging in, the tester click Back Arrow key of IE to Login page and enter User Name and Password again, throw a runtime exception "Validation of Anti-XSRF token failed" on

    anti-xsrf event master_Page_PreLoad(object sender, EventArgs e) of Site.Master page.

    I search it online and didn't find proper solutions for this issue. what is a better way to deal with it?

    Thanks a lot!

    Friday, September 14, 2018 1:18 PM

Answers

  • User475983607 posted

    you mean one log on page don't call XSRF function???  Could you guide me more detail?

    I mean, exactly what I stated two times and now a third time! I would NOT combine authentication with ViewState and XSRF.  Authentication is a separate API.  I would create a separate XSRF API to handle only XSRF.  This will simplify the code.

    The other design issue has to do with login logic which I mentioned in my first post.  I assume the page is loaded from cache and you are allowing the user to re-login.  I would, as stated above, turn cache off on the login page.  This will cause the browser to get the login page where you can write code to determine what to do next; either log the user off or redirect the user to a landing page.  Ask your product owners how the app is supposed to work.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 14, 2018 3:05 PM

All replies

  • User475983607 posted

    Most likely, clicking the back button caused IE to load the login page from cache which includes a now invalid Anti-XSRF token.  One possible solution is to turn cache off on the login page to force the page to load from the server.  

    You'll need to determine how the application is supposed to work in this situation.  Log the user out and let the user login again or redirect the user to a lading page.  Ask your business owners or review your requirements,

    Anyway, you have the steps to reproduce the bug and everything needed to move forward..  The first step is to use debugging tools to troubleshoot the issue.  This is standard stuff... place break point and analyse the XSRF logic to determine what happened.  Also remember to use the browser developer tools to determine if the login page is loaded from cache.  

    Friday, September 14, 2018 1:32 PM
  • User-609535877 posted

    I know the issue happening at following else section of master_Page_PreLoad

                else
                {
                    // Validate the Anti-XSRF token
                    if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
                        || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
                    {
                        throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
                    }
                }

    the Context.User.Identity.Name keeps UserName and viewstate (string)ViewState[AntiXsrfUserNameKey] == "" so application throw the exception

    Friday, September 14, 2018 1:44 PM
  • User475983607 posted

    I know the issue happening at following else section of master_Page_PreLoad

                else
                {
                    // Validate the Anti-XSRF token
                    if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
                        || (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
                    {
                        throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
                    }
                }

    the Context.User.Identity.Name keeps UserName and viewstate (string)ViewState[AntiXsrfUserNameKey] == "" so application throw the exception

    I don't get why user authentication is tied to  XSRF and ViewState.  I recommend that you rethink the design.

    Friday, September 14, 2018 2:00 PM
  • User-609535877 posted

    Thank you, mgebhard.

    It is default code coming with VS 2015. What can I change? Thanks!

    Friday, September 14, 2018 2:20 PM
  • User475983607 posted

    It is default code coming with VS 2015.

    The logic shown is custom.

    What can I change?

    There's no good reason to tie authentication to XSRF and ViewState.  Authentication has it's own API and has nothing to do with XSRF.  The same concept applies to XSRF where XSRF should have its own API.  

    I recommend fixing the design. 

    Friday, September 14, 2018 2:27 PM
  • User-609535877 posted

    Hi mgebhard,

    I recommend fixing the design -- you mean one log on page don't call XSRF function???  Could you guide me more detail? Really appreciate.

    Friday, September 14, 2018 2:49 PM
  • User475983607 posted

    you mean one log on page don't call XSRF function???  Could you guide me more detail?

    I mean, exactly what I stated two times and now a third time! I would NOT combine authentication with ViewState and XSRF.  Authentication is a separate API.  I would create a separate XSRF API to handle only XSRF.  This will simplify the code.

    The other design issue has to do with login logic which I mentioned in my first post.  I assume the page is loaded from cache and you are allowing the user to re-login.  I would, as stated above, turn cache off on the login page.  This will cause the browser to get the login page where you can write code to determine what to do next; either log the user off or redirect the user to a landing page.  Ask your product owners how the app is supposed to work.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, September 14, 2018 3:05 PM
  • User-609535877 posted

    I got it. Thanks

    Friday, September 14, 2018 3:11 PM