Server Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgery

asp.net-mvc-5 razorengine
Bilal Ahmed picture Bilal Ahmed · Dec 14, 2015 · Viewed 43.6k times · Source

I'm developing an asp.net mvc 5 application in which I was trying to redirect to the ReturnUrl by applying the code below :

[HttpPost]
[AllowAnonymous]
public ActionResult Login(UserLogin model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        string EncryptedPassword = GetMD5(model.Password);
        if (DataAccess.DAL.UserIsValid(model.Username, EncryptedPassword))
        {
            FormsAuthentication.SetAuthCookie(model.Username, true);
            if (String.IsNullOrEmpty(returnUrl))
            {
                return RedirectToAction("Index", "Home");
            }
            else
            {
                Response.Redirect(returnUrl);
            }
        }
        else
        {
            ModelState.AddModelError("", "Invalid Username or Password");
        }
    }
    return View();
}

The above code is working fine, But the problem is that when I Post the login form, it gives me an Exception that I've never faced Before and I'm having difficulties resolving the exception that is generating in the view in Login.cshtml, At Line :

@Html.AntiForgeryToken()

And the Exception That it throws:

Server cannot append header after HTTP headers have been sent.

I've researched a lot but I'm unable to get to the conclusion. My application works fine when I remove @Html.AntiForgeryToken() line, But I don't want to do this, I want my application to remain cross-site request protected.

Can Anyone Please Help me out, How do I get rid of this Exception?

Answer

Joel R Michaliszen picture Joel R Michaliszen · Dec 29, 2015

When Response.Redirect(anyUrl) the status code is set to 302, and the header will added to the response :

HTTP 1.0 302 Object Moved 
Location: http://anyurl.com

And when ViewResult is executed and razor render the view the Html.AntiForgeryToken() will called, so the helper tries to add the header X-Frame-Options and some cookies to the response, it is the cause of the exception.

But don't worry you can suppress the addition of X-Frame-Options header, just put this AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in the Application_start.

But I suggest you to change this:

Response.Redirect(returnUrl);

to

return Redirect(returnUrl);

Note

Since .NET code was opened you can see how the AntiForgeryToken works, see here AntiForgeryWorker.

Related questions

HTTP Error 500.19 and error code : 0x80070021

I have a simple webAPI build by Visual Studio 2013. It works well when I run it from VS13 but when I copy the project in local IIS it gives me the following error. HTTP Error 500.19 - Internal Server Error The …

Read More
ASP.NET MVC 5 - Identity. How to get current ApplicationUser

I have an Article entity in my project which has the ApplicationUser property named Author. How can I get the full object of currently logged ApplicationUser? While creating a new article, I have to set the Author property in Article …

Read More
How to get current user, and how to use User class in MVC5?

How can I get the id of the currently logged in user in MVC 5? I tried the StackOverflow suggestions, but they seem to be not for MVC 5. Also, what is the MVC 5 best practice of assigning stuff to the users? (…

Read More