Server Cannot Append Header After HTTP headers have been sent Exception at @Html.AntiForgery

Asked 14/12, 2015 at 15:3 Answered 14/6, 2017 at 3:55

I'm developing an asp.net mvc 5 application in which I was trying to redirect to the ReturnUrl by applying the code below :

[HttpPost]
[AllowAnonymous]
public ActionResult Login(UserLogin model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        string EncryptedPassword = GetMD5(model.Password);
        if (DataAccess.DAL.UserIsValid(model.Username, EncryptedPassword))
        {
            FormsAuthentication.SetAuthCookie(model.Username, true);
            if (String.IsNullOrEmpty(returnUrl))
            {
                return RedirectToAction("Index", "Home");
            }
            else
            {
                Response.Redirect(returnUrl);
            }
        }
        else
        {
            ModelState.AddModelError("", "Invalid Username or Password");
        }
    }
    return View();
}

The above code is working fine, But the problem is that when I Post the login form, it gives me an Exception that I've never faced Before and I'm having difficulties resolving the exception that is generating in the view in Login.cshtml, At Line :

@Html.AntiForgeryToken()

And the Exception That it throws:

Server cannot append header after HTTP headers have been sent.

I've researched a lot but I'm unable to get to the conclusion. My application works fine when I remove @Html.AntiForgeryToken() line, But I don't want to do this, I want my application to remain cross-site request protected.

Can Anyone Please Help me out, How do I get rid of this Exception?

Frech answered 14/12, 2015 at 15:3 Comment(4)

Show the view code where you use the line @Html.AntiForgeryToken() – Counterglow 14/12, 2015 at 15:4

Is your @Html.AntiForgeryToken()` in your Form on your View? – Willywilly 14/12, 2015 at 15:12

@PedroBenevides Yes, It is inside the Begin form..Sorry For the late reply. – Frech 16/12, 2015 at 12:56

In German, this message reads "Der Server kann den Header nicht anhängen, nachdem HTTP-Header gesendet wurden.", in case anyone is googling this. – Agent 18/1, 2019 at 8:7

When Response.Redirect(anyUrl) the status code is set to 302, and the header will added to the response :

HTTP 1.0 302 Object Moved 
Location: http://anyurl.com

And when ViewResult is executed and razor render the view the Html.AntiForgeryToken() will called, so the helper tries to add the header X-Frame-Options and some cookies to the response, it is the cause of the exception.

But don't worry you can suppress the addition of X-Frame-Options header, just put this AntiForgeryConfig.SuppressXFrameOptionsHeader = true; in the Application_start.

But I suggest you to change this:

Response.Redirect(returnUrl);

return Redirect(returnUrl);

Note

Since .NET code was opened you can see how the AntiForgeryToken works, see here AntiForgeryWorker.

Motorcycle answered 29/12, 2015 at 18:28 Comment(2)

I get the error when RedirectToAction("Logout", "Authentication"); – Delorsedelos 19/12, 2018 at 16:21

What is header X-Frame-Options ? – Delorsedelos 18/3, 2019 at 11:23

I was getting same error with Response.Redirect(returnUrl). After changing to Response.Redirect(returnUrl, false) fixed the issue.

Armadillo answered 14/6, 2017 at 3:55 Comment(0)

Recommended topics

Hot tags