Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

[Question] What is the significance of posting an AF token when clicking Login? #229

Closed
rayph opened this issue Jul 18, 2014 · 3 comments
Closed

Comments

@rayph
Copy link

rayph commented Jul 18, 2014

One reason I'm asking this question is because I think it would likely have caching implications for any high traffic page that has a login button. Most sites have a login button on the home page for instance, and every other page if the button/link is in the header.

Another reason I'm asking is out of personal interest; the AF token is typically used after the user has signed in and because it is closely tied to the identity of the authenticated user.

@brockallen
Copy link
Member

well, right now we don't have an anti forgery token on the login page.

@rayph
Copy link
Author

rayph commented Jul 21, 2014

Would best practice be simply to have the login link (in an mvc RP) point to a protected area (i.e.: /my-account with AuthorizeAttribute or global filter)?

I think a previous Mvc Owin sample I was experimenting with had an actual login button that posted an AF token, was that mechanism thrown out?

@brockallen
Copy link
Member

We'll be doing this for the consent page: #235

I don't think we need one for the login page because we require the signin message param or cookie which means the CSRF would have to come thru the authorization page.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants