3

I'm creating a website that allows internal users to visit the "Admin" page(s) and authenticate via Windows Authentication. The rest of the site is set-up with jQuery Mobile and allows anonymous access. This appears to work fine except when I access the "Admin" area first and then attempt to visit the main part of the site and submit preform a POST. It appears the CSRF protection (Anti-Forgery token) isn't liking this as I receive the following error message.

The provided anti-forgery token was meant for user "Domain\UserName", but the current user is "".

Would moving the "Admin" portion of the site to it's own virtual directory with Windows Authentication resolve this particular issue or is there a better solution?

Note: I've read a couple posts that have said to set the following property to circumvent this issue, but I'm not sure what other security vulnerabilities (if any) I may be opening up by doing so.

AntiForgeryConfig.SuppressIdentityHeuristicChecks = true;

Reference - 1

Reference - 2

Community
  • 1
  • 1
NuNn DaDdY
  • 2,882
  • 2
  • 14
  • 19
  • Are you using web.config to protect your directories? – Mike Cheel Jul 21 '14 at 16:43
  • Currently, I'm using the [AllowAnonymous] (HomeController) and [Authorize] (AdminController) attributes on each of the controllers and currently only have the authentication element set to "Windows" in the web config. Should I utilize the "location" attribute as indicated in the following URL? http://stackoverflow.com/questions/10794980/protecting-folders-in-mvc – NuNn DaDdY Jul 21 '14 at 16:55
  • I think you are making things a bit harder than they need to be. I would look at that route first before mixing the authentications and such. You know more about your project than I do obviously so I could be wrong. – Mike Cheel Jul 21 '14 at 16:58
  • You're probably correct. :) I'll take a look at and see if checking the routes gets me the desired functionality. Thanks for you help. – NuNn DaDdY Jul 21 '14 at 17:00
  • I try to use what comes out of the box before going to nutty with my own work arounds. Sometimes you have to get dirty but often times there is already a solution. – Mike Cheel Jul 21 '14 at 17:01
  • @MikeCheel - Microsoft's official position is that it's impossible to secure an MVC application via web.config, and that this method should not be used – Erik Funkenbusch Jul 21 '14 at 18:52
  • Thank you for your comment. I was just reading the same thing. Any other suggestions for a possible solution to this? – NuNn DaDdY Jul 21 '14 at 20:09

0 Answers0