Tormod Haugene
Reputation: 3686
Is the anti-forgery token for logout necessary?
For all my site pages, after being logged in for a few minutes, i get the following error when I attempt to log out:
The anti-forgery cookie token and form field token do not match.
I read in this link about ways to track this exception down, but since this exception only appears on logout, I wonder if it might just be easier exclude the anti-forgery-token for the logout form altogether. Is that a good idea?
I am using the template login page that is auto-generated with new MVC projects.
Thanks!
Upvotes: 9
Views: 3164
Answers (1)
CodeCaster
Reputation: 151654
It is advisable to add the token to a logout form, otherwise someone can create a page that posts to your logout page, logging out your users, which is annoying.
Upvotes: 9
Related Questions
- Anti forgery token on login page
- MVC Anti forgery token validating even though no [ValidateAntiForgeryToken]
- Automatically add anti-forgery tokens in ASP.NET MVC with Razor
- MVC sign out of claims identity authentication
- Do I need ValidateAntiForgeryToken on a Login action?
- what is the use of anti-forgery token salt?
- MVC 5 Is AntiForgeryToken needed when using Windows Authentication
- MVC anti-forgery token
- Why use an MVC post to log out?
- Antiforgery token in logon form