ASP.NET MVC - ValidateAntiForgeryToken expiring

asp.net-mvc asp.net-mvc-3 security csrf antiforgerytoken
DrGriff picture DrGriff · Oct 1, 2012 · Viewed 12.9k times · Source

In a web page we provide a hyperlink (GET) that the User may click on to authenticate:

@Html.ActionLink("Please Login", "MyMethod", "MyController")

This maps to the following controller method which returns a View:

    [RequireHttps]
    public ActionResult MyMethod()
    {
        return this.View(new MyModel());
    }

This View contains the Form in which the User supplies their credentials; the Form contains the required AntiForgeryToken.

When the User submits the form, the following Controller method is called:

    [HttpPost]
    [RequireHttps]
    [ValidateAntiForgeryToken]
    public ActionResult MyMethod(MyModel model)
    {
        // my logic
    }

This works perfectly well, most of the time...

However, if the User leaves their browser open for a "significant" period of time and then performs the following steps in quick succession:

  1. Clicks on the hyperlink (GET) to load the log-in form
  2. Completes the form and submits

They get an exception informing them that the Anti-Forgery token was either not provided or was invalid.

I don't understand why this is the case: the View (containing the form) is created after the browser was dormant and so the anti-forgery tokens should all be "fresh". However, something is evidently wrong with this design, but I'm not sure how best to rectify it.

Thanks in advance if you have any suggestions.

Griff

Answer

Gene Reddick picture Gene Reddick · Apr 10, 2013

I'm dealing with this same problem and while I understand the issue, I'm not sure yet of the best resolution.

The Anti-ForgeryToken process places an input value in the form with a second value stored in a cookie RequestVerificationToken. Both of these are submitted to the server and if they don't match the error is thrown.

The RequestVerficationToken cookie has an expiration value set to be Session. So when the user leaves the browser open on the page for a long time and then submits, the cookie's time stamp is compared to the session timeout value on the server — a default of 20 minutes or so — and having been exceeded, it is removed and thus token validation fails.

Possible solutions, all of which have potential issues;

  1. Put a javascript timer on the page and refresh at some value less than your session timeout.
  2. Catch the System.Web.Mvc.HttpAntiForgeryException on the server — and redirect to the same page.
  3. Increase your session timeout
  4. Change the expiration on the anti-forgery token

Related questions

RequestVerificationToken does not match

I have a problem with the anti CRSF MVC mechanism. The cookie and the form input returned does not match. I'm getting an error every single time, only in one specific page. In the rest of the application it works …

Read More
Why is JsonRequestBehavior needed?

Why is Json Request Behavior needed? If I want to restrict the HttpGet requests to my action I can decorate the action with the [HttpPost] attribute Example: [HttpPost] public JsonResult Foo() { return Json("Secrets"); } // Instead of: public JsonResult Foo() { return …

Read More
Asp.net Mvc custom mechanism to handle unauthorized request

For my website i want following behaviors for secured controller(or action) if a user makes a normal request redirect to login page (which i have easily able to do) if request is Ajax type Request.IsAjaxRequest()==true, return status …

Read More