I am currently working on an ASP.NET MVC project and came upon an error that seemed peculiar.
In the ASP.NET MVC Templates forms always get an AntiForgeryToken (thus leading me to believe that this is a best practice). However AntiForgeryTokens don't seem to work well with caching.
For example when I open a site with a form including an AntiForgeryToken and I duplicate the browser window both windows have the exact same AntiForgeryToken leading to an exception when posting the form. This problem does not exist when caching is disabled (via ActionFilter NoCache, see Disable browser cache for entire ASP.NET website).
So I guess my question is: Is this supposed to be that way? Is there any other way besides disabling the cache to tackle the problem?
Especially the fact that the default ASP.NET MVC templates contain AntiForgeryTokens but don't disable the cache (and therefore are open to the error described above) makes me wonder.
Thanks in advance!
Html.AntiforgeryToken()
generates a new token each time, so in two browser windows you should have different values – Lissome