MVC3 :a required anti-forgery token was not supplied or was invalid

Question

I redirect a page from web form page(profile.aspx) to MVC view (signin.aspx). In MVC controller, I have [ValidateAntiForgeryToken] to get token information, but when I submit MVC view, I get 'a required anti-forgery token was not supplied or was invalid' message. If I remove [ValidateAntiForgeryToken], there is no more error message, but I lose my token information. I do need all those token information for validation. So how can I fix this kind of issue? Thanks.

Answer 1

In your view, where you declare <form> you need to use @Html.AntiForgeryToken() helper.

@using (Html.BeginForm()) {
    Html.AntiForgeryToken()

    // The rest of your code
    <div class="something">
        @Html.DisplayFor(m => m.Whatever)
    </div>

    // etc...
}

This will pass anti-forgery token back to your controller.

UPDATE: The problem that you have is that you are performing redirection. WHen you do this all the values are lost. What is unclear is why you do the redirect from one page to another. Normally in MVC if user is not authenticated or session expires there will be a redirect to the login.aspx page. If your Signin.aspx is in AccountController then both Signing.aspx and AccountController should be marked for anti-forgery. However, if a user is in Signin.aspx, then internally you just call return RedirectToAction("Profile", "WhateverController"); you information will be lost and WhateverController will fail because Profile action does not receive anti-forgery information.

Your sign-in process should do something, redirect to HTTP GET version of Profile, have user complete the form entry and submit it to HTTP POST version of Profile. THis way your data will be kept and anti-forgery token will arrive successfully.