Skip to content

Rick anderson patch 11 #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Dec 19, 2024
Merged

Rick anderson patch 11 #11

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
74bf1b4
Update anti-request-forgery for multiple tabs
Rick-Anderson Dec 6, 2024
0013177
Update aspnetcore/security/anti-request-forgery.md
Rick-Anderson Dec 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 1 addition & 3 deletions aspnetcore/security/anti-request-forgery.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,9 +159,7 @@ Calling <xref:Microsoft.Extensions.DependencyInjection.MvcServiceCollectionExten

## Multiple browser tabs and the Synchronizer Token Pattern

With the Synchronizer Token Pattern, only the most recently loaded page is guaranteed to contain a valid antiforgery token. Apps that wish to support multiple tabs should test supported browsers and log failures. ***Using multiple tabs can be problematic***. For example, if a user opens multiple tabs, requests made from previously loaded tabs might fail with an error: `Antiforgery token validation failed. The antiforgery cookie token and request token do not match`

Consider alternative CSRF protection patterns if this poses an issue.
Multiple tabs with different users is not supported, including a user and anonymous.

## Configure antiforgery with `AntiforgeryOptions`

Expand Down
Loading