Search code examples
model-view-controllerinternet-explorer-11antiforgerytoken

MVC AntiforgeryToken - Limit?

I have a view that shows fine via firefox but not on IE11.

It uses Datatables and 2 of the columns have buttons to toggle the status of some data displayed.

These columns are very similar and one is like this....

        @{
            <td style="width: 18%">
                @if ((ViewBag.UserIsAdmin == "1") && ("AV".Contains(Model[ix].Status[0])) )
                {
                    <span class="hidden_span">@Html.DisplayFor(modelItem => Model[ix].StockId)</span>
                    string voidItemButtonCaption = String.Format("{0} {1}", ((Model[ix].Status[0] == 'A') ? "Void Item" : "Un-Void Item"), Model[ix].StockId);
                    using (Html.BeginForm("VoidStockItem", "Stock", new { stockId = Model[ix].StockId, categoryId = Model[ix].CategoryId, bAvailableOnly = availableOnly }, FormMethod.Post, null))
                    {
                        @Html.AntiForgeryToken()
                        @Html.Raw(string.Format("<input type=\"submit\" value=\"{0}\" name=\"VoidStockItem\" class=\"btn btn-default smaller_btn_btn_default\" />", voidItemButtonCaption));
                    }
                }
                else
                {
                    @Html.DisplayFor(modelItem => Model[ix].StockId)
                }
            </td>
        }

I've found that if my model contains more than around 115 items, then in IE the view wont display and it just says "This page can’t be displayed". Using F12 in IE isn't much help either.... "DOM7011: The code on this page disabled back and forward caching. For more information, see: http://go.microsoft.com/fwlink/?LinkID=291337"

After lots of hair pullling I have found that if I remove the anti forgery tokens, the page loads correctly. Obviously I cannot do this as a solution but I suppose it is at least a clue.

So it seems that I am limited to around 230 antiforgery tokens in a view. The view in question lists stocks and allows the user to Void particular items, so it's nothing out of this world.

So my questions are....

  1. is there a limit to the amount of anti forgerty tokens on a view?
  2. Is there a way to just insert one only when one of the submit buttons ic clicked?
  3. Have I done something fundamentally wrong?
  4. Can someone point me in the right direction to reslove this issue please?

Any help greatly appreciated.

Solution

  • I ended up doing it via AJAX.

    Works nicely as it picks up the AntiForgeryTokenFrom _Layout.

    //There isn't an antiforgerttoken on this page but there is one in the _~\shared\layout so it picks that up
params["__RequestVerificationToken"] = $('[name=__RequestVerificationToken]').val();
//Set the generic params
params["categoryId"] = catId;
params["denom"] = thisdenom;
params["bAvailableOnly"] = bAvail;

if (bIsBatch) {
    url = "@Url.Action("VoidStockBatch", "Stock")";
    params["stockBatchId"] = itemId;          
} else {
    url = "@Url.Action("VoidStockItem", "Stock")";
    params["stockId"] = itemId;
}

$.ajax({
    url: url,
    type: 'POST',
    cache: false,
    data: params,
    success: ...........