Geek Answers Handbook

Overriding anti-fake token errors on login page

I have a website that receives a large number of the following errors:

The provided anti-fake token is intended for different requirements than the current user.

The anti-fake cookie token symbol and the form field token do not match.

I want the site not to give an error if the anti-fake token is not intended for the user, but contains the user on the login page, for example:

The anti-fake token provided is intended for the user, but the current user is Garret.

I do not want this exception to apply to any page other than the login page. Therefore, I do not want to add AntiForgeryConfig.SuppressIdentityHeuristicChecks = true;to the entire site. I also want the site to be as secure as possible, as it contains HIPAA data. What can I do to keep it as safe as possible, but still try to prevent this error on the login page because it makes it harder for users to use?

The site is hosted on load balancing servers, but I don't think this is a problem. I think that the error is mainly caused by using the "Back" button of the browser through which the login page was opened before entering the system, having already registered or clicking on the login more than once. Also, some users access it through an application that may not load the page, and simply tries to send login information.

So, please let me know which is the best option to prevent this error on the login page, as far as possible?

+5
source share
4 answers

, , , , , , .

    [HttpPost]
    [AllowAnonymous]
    //[ValidateAntiForgeryToken]
    [OutputCache(NoStore = true, Duration = 0, VaryByParam = "None")]
    public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
    {
        // Skip the login process if the user is already logged in
        if (User.Identity.IsAuthenticated) 
        {
            return RedirectToAction("Index", "Home");
        }
        // Check the anti forgery token now
        System.Web.Helpers.AntiForgery.Validate();
        ...
+5

, :

-, ", " xxxx"

AntiForgeryToken , , , (.. ), .

[HttpPost]
[ValidateAntiForgeryToken]
[HandleError(View="Login", ExceptionType = typeof(HttpAntiForgeryException))]
public ActionResult Login(LoginModel model)
{
     // some login processing stuff
}

, JS , "" :

<body onload="window.history.forward()">...</body>

// or wrap it inside a function
<script type="text/javascript">
function noBackOnLogin() {
        window.history.forward();
        history.pushState(null, document.title, url); // if you want to include Mobile Safari, see https://stackoverflow.com/a/34337617/6378815
    }
</script>
<body onload="noBackOnLogin();" onpageshow="if (event.persisted) noBackOnLogin();">...</body>

, , ( User.Identity.Name).

, .

+2

@Michael_B, :

    // Skip the login process if the user is already logged in
    if (User.Identity.IsAuthenticated) 
    {
        return RedirectToAction("Index", "Home");
    }
    // Check the anti forgery token now
    System.Web.Helpers.AntiForgery.Validate();
    ...

:

    // if not authenticated, check anti forgery token now:
    if (!User.Identity.IsAuthenticated) 
    {
        System.Web.Helpers.AntiForgery.Validate();
    }
    // run rest of login process normally

    ...
0

Instead of checking User.Identity.IsAuthenticated, I used a custom attribute to handle exceptions and redirect the user to the home page if it is an HttpAntiForgeryToken.

I believe that this avoids any potential security issues using other methods.

public override void OnException(ExceptionContext filterContext)
    {
        var controllerName = (string)filterContext.RouteData.Values["controller"];
        var actionName = (string)filterContext.RouteData.Values["action"];
        var model = new HandleErrorInfo(filterContext.Exception, controllerName, actionName);
        if (filterContext.Exception is HttpAntiForgeryException)
        {
            filterContext.Result = new RedirectToRouteResult(
                new RouteValueDictionary
                {
                    { "action", "Index" },
                    { "controller", "Home" }
                });

            filterContext.ExceptionHandled = true;
        }
}
0
source

More articles:


All Articles