Is the anti-forgery token for logout necessary?

Question

For all my site pages, after being logged in for a few minutes, i get the following error when I attempt to log out:

The anti-forgery cookie token and form field token do not match.

I read in this link about ways to track this exception down, but since this exception only appears on logout, I wonder if it might just be easier exclude the anti-forgery-token for the logout form altogether. Is that a good idea?

I am using the template login page that is auto-generated with new MVC projects.

Thanks!

CodeCaster · Accepted Answer · 2013-11-05T00:27:28.523

9

It is advisable to add the token to a logout form, otherwise someone can create a page that posts to your logout page, logging out your users, which is annoying.

edited Nov 05 '13 at 00:27

answered Jul 31 '13 at 10:33

CodeCaster

147,647
23
218
272

Is the anti-forgery token for logout necessary?

1 Answers1