Reputation: 7738
Generate AntiForgeryToken on one site and validate on another?
If I have 2 ASP.NET MVC sites (potentially on seperate servers) and I want to display a form on Site A that POSTs to an action on Site B, is it possible to share AntiForgeryToken setup so that if Site A includes an AntiForgeryToken on a form, it will successfully pass the Anti Forgery validation check on Site B?
So in Site A the page has a form with action set to Site B Url with:
@Html.AntiForgeryToken()
And on Site B the action it will post to is decorated with:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
The scenario here is that we need to allow a login to Site B from a form on Site A.
If this is possible, are there any other gotchas we should watch out for?
Upvotes: 1
Views: 1117
Answers (1)
Reputation: 19261
The whole purpose of @Html.AntiForgeryToken() helper and [ValidateAntiForgeryToken] attribute is to prevent users from submitting forms from another domain.
To do that anti forgery token uses cookies. Since you cannot share cookies accross multiple domains, the cookie created on your Site A will not be accessible on Site B.
Thus, I think what you want to achieve is impossible.
Upvotes: 4
Related Questions
- How to make the AntiforgeryToken As Secure in ASP.net MVC
- How to validate AntiForgeryToken issued from one Application on different Application in .NetCore API?
- Automatically add anti-forgery tokens in ASP.NET MVC with Razor
- Using AntiForgeryToken between multiple ASP.NET sub projects
- AntiForgeryToken re-use
- Dealing with missing/invalid AntiForgeryTokens in ASP.NET MVC
- How to pass through the AntiForgeryToken in MVC
- AntiForgeryToken validation Asp.Net MVC 3
- ASP.NET MVC3 AntiForgeryToken
- Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification?