Search code examples
c#http-redirectantiforgerytoken

Regarding the @Html.AntiForgeryToken()

So I was wondering how important the antiForegryToken is, because it is causing some problems for me.

I have a class where i look if the user is in role "PremiumAnvändare" (it's PremiumUser in swedish) and if not I redirect them to "rolenotfound". 

public ActionResult Create()
    {

        if (User.IsInRole("PremiumAnvändare"))  
        {
            ViewBag.SammanhangsID = new SelectList(db.Sammanhangs, "SammanhangsID", "Namn");
            return View();


        }
        Response.Redirect("rolenotfound");
        return View();
    }

But when the user is redirected to rolenotfound i get the error

An exception of type 'System.Web.HttpException' occurred in System.Web.dll but was not handled in user code

The server can not add a header after HTTP headers have been sent.

This is resolved by deleting the @Html.AntiForgeryToken()

Am I doing something wrong or is it okay to remove the token? I resarched it a bit and I understand it is to defend against cross site attacks but I don't believe this will be a problem since we are making a mobile app. But please correct me and teach me so I can make this right.

Solution

  • I solved it by changing 

    Response.Redirect("rolenotfound");
        return View();

    to

     return PartialView("rolenotfound");

    this did not hinder me from using the anti forgery token, however the layout is not included in this case but that won't be a problem in my project.