Use of AntiForgeryToken and Cached pages

Question

Before I deploy some code that appears to work in testing, are there any issues with the use of the AntiForgeryToken when deployed to an Azure WebRole. Because it generates some html and a cookie, I'm worried about the following...

The pages are cached by the MVC cache. Will the anti-forgery token's cookie get re-issued on subsequent requests for the page?

The page is running in an Azure Webrole on multiple instances. Is there any issue if the receiving server is not the one that generated the page?

The forms come from a lump of html saved in the database. We therefore propose to effectively do a string replace to find a simple token and swap in the AntiForgery token. (code below) This appears to work but is worrying me.

        var xtoken = "<!--AntiForgeryToken-->";
        if (content.Contains(xtoken))
        {
            var token = HttpUtility.HtmlDecode(html.AntiForgeryToken().ToHtmlString());
            content = content.Replace(xtoken, token);
        }

        return html.Raw(content)

Will the above generate any issues?

score 3 · Accepted Answer · edited May 23 '17 at 12:10

3

You can't use cache on pages with AntiForgeryToken() token - see this.

The page is running in an Azure Webrole on multiple servers

If you mean WebRole running on multiple instances that should not be a problem because by default Azure will take care about MachineKey (see here)

But you might have a problem just after deployment(redeployment), because Azure will override MachineKey

edited May 23 '17 at 12:10

Community

1
1

answered Nov 24 '14 at 14:15

b2zw2a

2,663
15
15

Use of AntiForgeryToken and Cached pages

1 Answers1