(Using product version 10.5.0 .NET Core MVC)
Getting an error on login following a specific sequence:
- User is logged in and opens change password modal,
- clicks link to Forgot Password page (is logged out),
- clicks Back to exit, is directed to Login page,
- and attempts to log in with the correct credentials
Instead of successfully logging in, a 400 bad request response is sent back. Upon closer inspection, an ASP.NET Core antiforgery token is lingering in the cookies and fails the automatic validation applied to the Login controller method.
Adding an IgnoreAntiforgeryToken attribute to the login method is the most obvious solution. Does this interfere with ABP's automatic CSRF validation or will the login form still be protected? Might something else be missing that would prevent this problem altogether?
2 Answer(s)
-
0
Hi @kfrancis
I have created an issue about this problem, see https://github.com/aspnetzero/aspnet-zero-core/issues/4073.
When you use
IgnoreAntiforgeryToken, the endpoint will not be protected for XSRF Attacks.We will work on this issue soon.
-
0
Hi @ismcagdas,
What is your product version? v12.4.0
What is your product type (Angular or MVC)? Angular
What is product framework type (.net framework or .net core)? .net 7
[IgnoreAntiforgeryToken] is used in the following files: aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\TokenController.cs aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\AuthorizeController.cs, HandleAsync() aspnet-core\src\umsplus.Web.Core\OpenIddict\Controllers\UserInfoController.cs
With [IgnoreAntiforgeryToken], the endpoint will not be protected for XSRF Attacks. Why [IgnoreAntiforgeryToken]? Are there any consequences if removed?
