Will ASP.Net MVC's AntiForgeryToken Method work with Load Balancers?

asp.net-mvc security cookies load-balancing antiforgerytoken
Paul Fryer picture Paul Fryer · Aug 6, 2010 · Viewed 7.7k times · Source

Using ASP.Net MVC v2.0, I am starting to research the use of the Html.AntiForgeryToken() method when submitting forms that process data. I can see it sets a hidden value in the form HTML and it sets the same value in a session cookie.

The question is will different web servers in a load balanced configuration create the same token in the HTML forms? It seems if they don't then the cookie and hidden form value wouldn't match and we would have a problem. Before I get into actually testing this in a LB configuration, wanted to check if anyone already has experience with this?

Thanks, Paul

Answer

Levi picture Levi · Aug 6, 2010

If all machines across the farm share the same <machineKey>, everything will work. There are lots of resources on how to set this. There's also a tutorial on MSDN.

Note that the name <machineKey> is a bit misleading, since this is actually set per-application in ~/Web.config. So set the <machineKey> explicitly in your app's Web.config, then deploy across your farm.

Related questions

How can I set the 'secure' flag for cookies in an ASP.NET MVC website?

I have set the following in web.config: <system.web> <httpCookies httpOnlyCookies="true" requireSSL="true" /> </system.web> When I hit the website using an HTTP connection, it redirects to my login page (specifying the …

Read More
Why is JsonRequestBehavior needed?

Why is Json Request Behavior needed? If I want to restrict the HttpGet requests to my action I can decorate the action with the [HttpPost] attribute Example: [HttpPost] public JsonResult Foo() { return Json("Secrets"); } // Instead of: public JsonResult Foo() { return …

Read More
How to remove ASP.Net MVC Default HTTP Headers?

Each page in an MVC application I'm working with sets these HTTP headers in responses: X-Powered-By: ASP.NET X-AspNet-Version: 2.0.50727 X-AspNetMvc-Version: 2.0 How do I prevent these from showing?

Read More