Skip to content
This repository has been archived by the owner on Nov 22, 2018. It is now read-only.

Antiforgery tokens #69

Closed
sebastienros opened this issue Oct 6, 2016 · 1 comment
Closed

Antiforgery tokens #69

sebastienros opened this issue Oct 6, 2016 · 1 comment

Comments

@sebastienros
Copy link
Member

sebastienros commented Oct 6, 2016
edited
Loading

Anti-forgery tokens can't be cached as they are user specific values, even for anonymous users. Hence if a response is rendered with another's token the form will fail.

Options:

  1. This can be done with the anti-forgery token generator create a no-cache header. It's already setting the cookie.
    The issue with this is that this can lead to lots of cache misses. For instance if a layout contains a login form in the header (quite common) or a blog engine rendering a comments form for the posts.
  2. A solution to still cache these would be to substitute the token value with a beacon when storing the cache entry, then substituting it when the page is rendered. Like using a standard ESI one that would also work for edge servers. https://www.varnish-cache.org/docs/3.0/tutorial/esi.html

If done correctly it could be generalized to support other user specific values to extend support for authenticated cached pages.
@muratg muratg mentioned this issue Oct 7, 2016
Closed
@muratg
Copy link
Contributor

muratg commented Nov 21, 2016

This should be already fixed with option 1. (aspnet/Antiforgery#105)

@muratg muratg closed this as completed Nov 21, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sebastienros @muratg