How to disable the antiforgery token check in ASP.NET MVC Core 2

Asked 21/5, 2018 at 5:3 Answered 2/1, 2022 at 3:21

asp.net-mvc asp.net-core-2.0 antiforgerytoken

I am trying to avoid "AntiForgery" checking as it always fails when hosted from the 3rd party server. I am using ASP.NET Core 2.0 MVC application.

I added this option in the ConfigureServices function:

services
    .AddMvc()
    .AddRazorPagesOptions( options =>
    {
        options.Conventions.AuthorizeFolder("/Account/Manage");
        options.Conventions.AuthorizePage("/Account/Logout");
        options.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());
    } );

But still I am getting this exception.

System.InvalidOperationException: The antiforgery token could not be decrypted.
System.Security.Cryptography.CryptographicException: The key {6fb328e7-4808-4b5d-b7dc-870d126e5ca4} was not found in the key ring.

Am I missing anything ?

Grandaunt answered 21/5, 2018 at 5:3 Comment(3)

"it always fails when hosted from the 3rd party server" - perhaps it's a better idea to fix that issue instead of disabling a useful security feature. What is happening on the other server that causes it to break? – Reavis 21/5, 2018 at 5:5

This entire token system and antiforgery system is not working when hosted from third party IIS server. I have opened a bug as well as submitted the logs. Since this is test, I simply want to remove antiforgery system from the application. I did some research and added that line of code in configureservice function. But still the application is checking for the token. Not sure how to disable it. Any advice? – Grandaunt 21/5, 2018 at 5:31

Is your application using only RazorPages? If you're using the full version of ASP.NET Core's MVC functionality or something else then it won't be under AddRazorPagesOptions but will be elsewhere. – Reavis 21/5, 2018 at 7:6

Add the IgnoreAntiforgeryToken attribute (Order must > 1000) to the razor page model:

For example:

namespace CWACpch.Pages
{
    [IgnoreAntiforgeryToken(Order = 2000)]
    public class CreateOrderModel : PageModel
    {

Gameness answered 22/4, 2019 at 22:3 Comment(1)

That worked - it does feel like a "work around" which then could expose an application to a security flaw. However, I wanted a demo to run, where (as above) a third party does the form POST. – Riggins 23/12, 2019 at 11:6

Been looking around for how to disable the cookie, setting the Order does not seem to help for me, and trying to set it to all pages via below also did not work for me.

options.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());

I eventually found article below which helps per deleting the cookie locally, at least. Add the line below in the Startup.cs Disable .AspNetCore.Antiforgery Cookie

services.AddAntiforgery(options => { options.Cookie.Expiration = TimeSpan.Zero;});

Sternick answered 28/7, 2020 at 18:46 Comment(0)

In case anyone else struggles with this in NET 6;

services.AddAntiforgery(options => { options.SuppressXFrameOptionsHeader = true; });

Pediculosis answered 2/1, 2022 at 3:21 Comment(0)

As per my understanding you don't have to disable any thing. By default if you use asp net tag helper to create form element it will put anti forgery token

It is upto you to validate anti forgery token by the use [ValidateAntiforgeryToken] annotation in action method or globally define configuration to ValidateAntiforgeryToken which will make system to try validate anti forgery token

If you have not configured system as mentioned about the system won't validate anti forgery token and won't be problem for your situation

Throaty answered 21/5, 2018 at 13:57 Comment(1)

I have this data annotation ([ValidateAntiforgeryToken]) everywhere in the code. I need it when I go to production. But during testing, I want to suppress the 'Anti Forgery Validation' check. So I added this line (options.Conventions.ConfigureFilter(new IgnoreAntiforgeryTokenAttribute());) But still the application gives me this exception. (The antiforgery token could not be decrypted. System.Security.Cryptography.CryptographicException:). My question is why is it still checking ? – Grandaunt 21/5, 2018 at 15:36

Recommended topics

Hot tags