AntiForgeryToken Error in a Load Balanced Environment


The client has a custom module that uses AntiForgeryTokens to protect POST requests. But since the website is load balanced using two servers, it must be ensured that the requests work on both of these servers.

This article explains how the AntiForgeryToken can be decrypted on server B when it was originally created by server A and a POST request, where the token needs to be checked, is then handled by server B.


WebFarm Environment


Load Balancer Configuration

Root Cause

In the event of web farms, the use of AntiForgeryTokens may be complicated, as an initial page request may be done to one server, but after changed to another.


The simplest solution for this issue would be to enable the use of Sticky Session in the Load Balancer. The Sticky Session can ensure that a request generated in Server A, is only handled by the same server. Therefore, guaranteeing that the AntiForgeryToken is valid. Although this is a solution outside of DNN, it may be the simplest choice and it would reduce the overhead of synchronizing the AntiForgeryToken between the webheads.



Article is closed for comments.