Last post Jun 03, 2019 06:41 AM by Gary Liu - MSFT
May 29, 2019 09:06 PM|wavemaster|LINK
I work on several sites within the same domain but different port numbers throughout the day.
I am getting frequent warning like in the title, and the Elmah logs show some of our clients have the same issue.
Found some stuff online for MVC, but how does one resolve this for WebPages?
May 30, 2019 05:38 AM|Wei Zhang|LINK
According to your description, this happens because the anti-forgery token embeds the username of the user as part of the encrypted token for better validation.
When you first call the @Html.AntiForgeryToken() the user is not logged in so the token will have an empty string for the username, after the user logs in, if you do not replace the anti-forgery token it will not pass validation because the initial token
was for anonymous user and now we have an authenticated user with a known username.
So I suggest that you could try below ways :
1.Just this time let your SPA do a full POST and when the page reloads it will have an anti-forgery token with the updated username embedded.
2.Have a partial view with just @Html.AntiForgeryToken() and right after logging in, do another AJAX request and replace your existing anti-forgery token with the response of the request.
3.Just disable the identity check the anti-forgery validation performs. Add the following to your Application_Start method:
AntiForgeryConfig.SuppressIdentityHeuristicChecks = true.
Here is the link I hope it could help you.
May 30, 2019 11:58 AM|wavemaster|LINK
I had found that thread, but could not translate those solutions to my WebPages' environment.
It is not a SPA
Full post is already happening
There are no partial views (WebPages = page model)
There is no Application_Start
Jun 03, 2019 06:41 AM|Gary Liu - MSFT|LINK
The cookies in the same domain are shared with all the applications even if these applications are in different ports. Please refer to https://stackoverflow.com/questions/1612177/are-http-cookies-port-specific for
the details explain for this.
And you can try to publish your applications into different domains try to solve the issue.
BTW, we cannot reproduce your issue in our side, if the issue is consistence, please share more info about your env and key code snippet with us for further analysis.