Reputation: 1299
How to disable the antiforgery token check in ASP.NET MVC Core 2
I am trying to avoid "AntiForgery" checking as it always fails when hosted from the 3rd party server. I am using ASP.NET Core 2.0 MVC application.
I added this option in the ConfigureServices function:
services
.AddMvc()
.AddRazorPagesOptions( options =>
{
options.Conventions.AuthorizeFolder("/Account/Manage");
options.Conventions.AuthorizePage("/Account/Logout");
options.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
} );
But still I am getting this exception.
System.InvalidOperationException: The antiforgery token could not be decrypted.
System.Security.Cryptography.CryptographicException: The key {6fb328e7-4808-4b5d-b7dc-870d126e5ca4} was not found in the key ring.
Am I missing anything ?
Upvotes: 15
Views: 27913
Answers (4)
Reputation: 936
In case anyone else struggles with this in NET 6;
services.AddAntiforgery(options => { options.SuppressXFrameOptionsHeader = true; });
Upvotes: 1
Reputation: 645
Been looking around for how to disable the cookie, setting the Order does not seem to help for me, and trying to set it to all pages via below also did not work for me.
options.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
I eventually found article below which helps per deleting the cookie locally, at least. Add the line below in the Startup.cs Disable .AspNetCore.Antiforgery Cookie
services.AddAntiforgery(options => { options.Cookie.Expiration = TimeSpan.Zero;});
Upvotes: 3
Reputation: 4164
Add the IgnoreAntiforgeryToken attribute (Order must > 1000) to the razor page model:
For example:
namespace CWACpch.Pages
{
[IgnoreAntiforgeryToken(Order = 2000)]
public class CreateOrderModel : PageModel
{
Upvotes: 8
Reputation: 101
As per my understanding you don't have to disable any thing. By default if you use asp net tag helper to create form element it will put anti forgery token
It is upto you to validate anti forgery token by the use [ValidateAntiforgeryToken] annotation in action method or globally define configuration to ValidateAntiforgeryToken which will make system to try validate anti forgery token
If you have not configured system as mentioned about the system won't validate anti forgery token and won't be problem for your situation
Upvotes: 1
Related Questions
- Using Antiforgery in ASP.NET Core and got error - the antiforgery token could not be decrypted
- antiforgery token in asp.net core razor pages?
- Disable request verification token in ASP.NET Core
- How to make the AntiforgeryToken As Secure in ASP.net MVC
- Antiforgery token issue in Internet Explorer
- Validating AntiForgery token globally in ASP.NET Core
- Enable Antiforgery Token with ASP.NET Core and JQuery
- How to pass through the AntiForgeryToken in MVC
- How to invalidate AntiForgeryToken Asp.Net MVC 3
- MVC Antiforgery requestvalidation token appearing in querystring