AntiForgeryToken

Vote:
 

Hi!

We are working on styling Epi Forms, and therefore we are keeping the form in the browser for a long time - say 1 hour. If we then reload the page, we get an error message saying something about the antiforgerytoken not being valid. If we load the same page in a new tab, everything is ok. Is this a bug in epi forms, or is there something we can do to fix it?

#208933
Nov 05, 2019 9:27
Vote:
 

I think after an hour the cookie that is used to validate has expired. It's not an Episerver specific thing methinks. Have a look at this article

#208934
Nov 05, 2019 10:02
Vote:
 

That's a protection vs cross site request forgery. Basically what happens is that you are probably re-posting the form but the anti-forgery token validation then says that the token doesn't match the user it was created for (session timeout). So I would say it's working as intended. 

To avoid it you can redirect a logged out user to start page or reload the page since this will restart the session and give you a new valid cookie for antiforgery token.

#208935
Nov 05, 2019 10:13
Vote:
 

It sounds strange that if a user starts filling out a form, takes a break for an hour, and comes back, the page fails? 

Daniel: you say we can reload the page, but when we reload the page, the error happens. 

#209031
Nov 06, 2019 12:07
Vote:
 

You should be able to reload using a GET? (similar to open same address in new tab). If you reload using a POST (resending form data) it will trigger the validation of antiforgery token. Haven't tested it though but that is as it should work at least. The validation is to protect logged in users. If it didn't exist I could create posts as another logged in users with a little effort and a fake site. 

What you can do is have a javascript that sends user to startpage after x mins of inactivity / session timeout and force them to login again. This will avoid the problem with session timing out and the token becoming invalid on the forms page. 

For sites without login I guess it should be possible to remove the antiforgery check. Don't see why it's needed then. Haven't tested if that is possible with Episerver Forms out of the box though

#209036
Nov 06, 2019 13:43
Vote:
 

As it is a protection against XSRF attacks, also for anonymous users, I would not advice to remove it. You could catch the exception and handle it in a way that's user friendly, e.g. showing a message that explains that they need to fill in the form again due to inactivity

#209072
Nov 07, 2019 10:01