Will ASP.Net MVC's AntiForgeryToken Method work with Load Balancers?

About

Asked 5/8, 2010 at 22:5 Answered 6/8, 2010 at 6:7

Solved asp.net-mvc security cookies load-balancing antiforgerytoken

Using ASP.Net MVC v2.0, I am starting to research the use of the Html.AntiForgeryToken() method when submitting forms that process data. I can see it sets a hidden value in the form HTML and it sets the same value in a session cookie.

The question is will different web servers in a load balanced configuration create the same token in the HTML forms? It seems if they don't then the cookie and hidden form value wouldn't match and we would have a problem. Before I get into actually testing this in a LB configuration, wanted to check if anyone already has experience with this?

Thanks, Paul

Monstrance answered 5/8, 2010 at 22:5 Comment(0)

If all machines across the farm share the same <machineKey>, everything will work. There are lots of resources on how to set this. There's also a tutorial on MSDN.

Note that the name <machineKey> is a bit misleading, since this is actually set per-application in ~/Web.config. So set the <machineKey> explicitly in your app's Web.config, then deploy across your farm.

Sheff answered 6/8, 2010 at 6:7 Comment(4)

OK, I should have assumed the machineKey was used. Thanks for the answer. – Monstrance 6/8, 2010 at 17:50

And if your lazy to create a machinekey line for your config file: aspnetresources.com/tools/machineKey – Bessiebessy 6/12, 2012 at 15:20

nashwan, it's dangerous to use a machineKey that you didn't generate yourself. It could end up compromising the security of your site. – Sheff 14/3, 2014 at 16:19

we generated machine key and added in web.config file. This issue occurred in one server scenario also – Create 21/1, 2016 at 15:24

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags