Kentico MVC Anti Forgery Token and caching

Gustavo Quevedo asked on October 18, 2019 13:48

Hi,

I'm using caching to improve performance and I'm having issues with some Kentico Forms added to my site, which by the way is in a web farm.

I have the same <machineKey decryptionKey="XXX" validationKey="XXX" /> values on all web.configs.

However, I'm randomly getting the following error when a form is submitted:

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

I presume this is because the AntiForgery Token value posted was cached and thus, it doesn't match with the one expected by the server.

Is there any solution for this that doesn't involve disabling the caching? Can I disable the Anti Forgery token validation?

Any help would be appreciated.

Kind regards,

Gustavo

Recent Answers

vasu yerramsetti answered on October 21, 2019 11:00

Please check this https://docs.kentico.com/k12/securing-websites/developing-secure-websites/cross-site-request-forgery-csrf-xsrf

https://devnet.kentico.com/questions/kentico-12-mvc-development-guideline-for-anti-xss-scripting-and-sanitizing-html-output

0 votesVote for this answer Mark as a Correct answer

Gustavo Quevedo answered on October 21, 2019 11:30

Vasu,

Thanks for your answer.

Unfortunately I'm not trying to secure my forms with the Anti forgery token, but to disable it for Kentico forms added to my site via widget.

They seem to implement this feature by default and there is no option to disable it, which creates a conflict with the site caching.

Kind regards, Gustavo

0 votesVote for this answer Mark as a Correct answer

Michal Samuhel answered on October 21, 2019 14:08

Hi Gustavo,

Indeed AntiForgeryToken is part of forms widget which I assume, you are using. I would be more interested in caching implementation. Anti forgery token would be part of HTML response, so unless you are also caching whole HTML output of a page, it should not be stored. Is this the approach you are using? In that case, can I also ask why? In general forms should be a bit more dynamic and their submissions should be protected from automated systems (captcha helps, but tokens are making them harder to submit and more secure)...

0 votesVote for this answer Mark as a Correct answer

Gustavo Quevedo answered on October 21, 2019 15:00

Michal,

Thanks for your reply.

Indeed I'm using the out-of-the-box Kentico form widget and I'm caching the entire HTML output with an external service. This cache is refreshed every few minutes and used for performance purposes.

I can understand that pages with forms shouldn't be cached because of the token.

But I'd be interested in finding alternatives that wouldn't involve disabling this cache for a specific URL (and its alternative URLs) every time a form is added to a page by a user.

Thanks!

Kind regards,

Gustavo

0 votesVote for this answer Mark as a Correct answer

Michal Samuhel answered on October 21, 2019 16:32

3rd party service for HTML output caching... I am quite interested to see how it gathers HTML markup and how it tied to the application...

Anyway underlying, we are using standard ASP.NET MVC anti forgery mechanism as it is baked in and it is proven, tested and reliable.

There is a pattern which you can use which will require to use custom attribute and action filter to prevent actual validation. This goes into request processing pipeline and they can be preceded by our implementation and action call(though they should not):

 [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult FormSubmit

Anyway, it is to use custom attribute and filter. This seems to be still same even on core and same pattern is advised on another post.

1 votesVote for this answer Mark as a Correct answer

Morgan Lynch answered on October 21, 2019 16:52 (last edited on October 21, 2019 16:53)

0 votesVote for this answer Mark as a Correct answer

Gustavo Quevedo answered on October 21, 2019 16:54

Michal,

That's fine. I see there is at least a way to approach it even though it's not as simple and clean as I'd like.

I've finally decided to disable the caching for the pages that include a form.

Thank you very much for your help.

Kind regards,

Gustavo

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.