Clarify antiforgery protection behavior around multiple tabs being open

[nbellowe]

Initially I used the "Synchronizer Token Pattern (STP)" pattern described in the docs under "Antiforgery in ASP.NET Core". This led to issues for any users that use my website from multiple tabs, due to STP enforcing page load order (only POST made by the most recently loaded page would work properly).

I think the documentation could be improved by explaining more about this behavior, and recommending that in cases where you don't want to enforce page load ordering, the cookie to header pattern, (also documented but not named) or another CSRF protection pattern, may be suitable. I am happy to make this change myself.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 47b14f57-82ac-a2e2-cbc7-22a81a60f4ac
• Version Independent ID: bffca13c-223f-c61f-9cb2-9da8811eecfa
• Content: Prevent Cross-Site Request Forgery (XSRF/CSRF) attacks in ASP.NET Core
• Content Source: aspnetcore/security/anti-request-forgery.md
• Product: aspnet-core
• Technology: aspnetcore-security
• GitHub Login: @Rick-Anderson
• Microsoft Alias: riande

---

Associated WorkItem - 350915

[nbellowe]

(on this page) https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-6.0#antiforgery-in-aspnet-core

[Rick-Anderson]

@blowdart please review.

[blowdart]

Sure give it a shot, but it boils down to "We don't support multiple tabs logged in with different users, or one logged in and one anonymous". If you want to discuss other patterns you'll need to discuss the risks in detail.

[Rick-Anderson]

@nbellowe how about in this doc we add an H2, ## Multiple browser tabs, and explain that's not supported and why it's problematic.

Then create a new discussion with your mitigation. We can then point to the discussion.

[nbellowe]

Sure, my mitigation was essentially another pattern listed on the doc (copied below). I am happy to update the docs, it sounds like we have a consensus. I will make an MR myself, if thats ok.

// https://developer.mozilla.org/en-US/docs/web/api/document/cookie
const xsrfToken = document.cookie
    .split("; ")
    .find(row => row.startsWith("XSRF-TOKEN="))
    .split("=")[1];

const response = await fetch("/JavaScript/FetchEndpoint", {
    method: "POST",
    headers: { "X-XSRF-TOKEN": xsrfToken }
});

if (response.ok) {
    resultElement.innerText = await response.text();
} else {
    resultElement.innerText = `Request Failed: ${response.status}`
}

[nbellowe]

#25585

[nbellowe]

Perhaps I should point out the cookie to header approach that is mentioned later in the document. Thoughts @blowdart would you mind reviewing?

[aomader]

Is this documentation actually still correct? @Rick-Anderson

I just did a short test based on the default webapp template with .NET 8 (dotnet new webapp -o RazorPagesMovie) and it is very much possible to open multiple tabs and operate forms in any order.

I am really curious now what the actual behavior is.

[Rick-Anderson]

Per the doc Using multiple tabs can be problematic.