Anti forgery token on login page

c# asp.net-mvc-3 antiforgerytoken
cpoDesign picture cpoDesign · Feb 24, 2012 · Viewed 20.9k times · Source

I have implemented antiforgery token on my login page.

Now I had one user pressing back key on the keyboard, and when they click on login button again after filling their credentials, they get error page.

Is there some better way of handeling this case like redirect them to fresh login page?

Page that is login page is :/account/logon

If login details are sucessfull the user is redirected to :Home/Index page on which the user pressed button back.

Answer

Adam Tuliper - MSFT picture Adam Tuliper - MSFT · Feb 24, 2012

Don't implement the ASP.NET AntiForgeryToken on your login page. The token is based on a username among other criteria and a login page assume the attacker already has credentials to a system in order to be able to exploit csrf on that page.

However, you should use some form of CSRF protection on your login page - see https://security.stackexchange.com/a/2126/51772

Related questions

Entity Framework 5 Updating a Record

I have been exploring different methods of editing/updating a record within Entity Framework 5 in an ASP.NET MVC3 environment, but so far none of them tick all of the boxes I need. I'll explain why. I have found three …

Read More
Returning a file to View/Download in ASP.NET MVC

I'm encountering a problem sending files stored in a database back to the user in ASP.NET MVC. What I want is a view listing two links, one to view the file and let the mimetype sent to the browser …

Read More
The type or namespace name does not exist in the namespace 'System.Web.Mvc'

Buiding MVC3 solution went well but have got an error in browser: Compiler Error Message: CS0234: The type or namespace name 'Html' does not exist in the namespace 'System.Web.Mvc' (are you missing an assembly reference?) Source Error: Line 25: &…

Read More