You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.
One reason I'm asking this question is because I think it would likely have caching implications for any high traffic page that has a login button. Most sites have a login button on the home page for instance, and every other page if the button/link is in the header.
Another reason I'm asking is out of personal interest; the AF token is typically used after the user has signed in and because it is closely tied to the identity of the authenticated user.
The text was updated successfully, but these errors were encountered:
Would best practice be simply to have the login link (in an mvc RP) point to a protected area (i.e.: /my-account with AuthorizeAttribute or global filter)?
I think a previous Mvc Owin sample I was experimenting with had an actual login button that posted an AF token, was that mechanism thrown out?
I don't think we need one for the login page because we require the signin message param or cookie which means the CSRF would have to come thru the authorization page.
One reason I'm asking this question is because I think it would likely have caching implications for any high traffic page that has a login button. Most sites have a login button on the home page for instance, and every other page if the button/link is in the header.
Another reason I'm asking is out of personal interest; the AF token is typically used after the user has signed in and because it is closely tied to the identity of the authenticated user.
The text was updated successfully, but these errors were encountered: