Mvc: cache-control: no-store header being overwritten by .net core CSRF token generator

Created on 22 Jun 2017  路  5Comments  路  Source: aspnet/Mvc

In order to solve a caching issue in IE I decorated my controllers with
[ResponseCache(Location = ResponseCacheLocation.None, NoStore = true)]

When looking at the response headers in the browser developer tools I noticed that some of my controller action responses had the expected Cache-Control:no-store,no-cache

But others didn't. This was driving me nuts and after doing some digging I found the explanation in the msdn documentation
image

https://docs.microsoft.com/en-us/aspnet/core/performance/caching/middleware

So I tried disabling CSRF protection in my form by using the asp-antiforgery="false" attribute and sure enough the no-store directive was added to my response header.

So my question is: Is there any way to achieve this without having to sacrifice security by disabling CSRF protection in my forms? It definitely doesn't feel right to have to disable that just to prevent IE from caching my pages.

Thanks in advance for any help/advice that you can give me!

picture univhack

Most helpful comment

FYI here's a workaround that someone else found for this in 1.X.Y. We already addressed this issue in 2.0.0 https://github.com/aspnet/Antiforgery/blob/f258be61fd05ff23d286661c58409b1eba004440/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgery.cs#L372

picture rynowak on 22 Jun 2017
👍2

All 5 comments

What's the exact issue here with the cache headers? Is the problem that you need Cache-Control: no-cache, no-store and you are getting Cache-Control: no-cache?

rynowak picture rynowak on 22 Jun 2017

@rynowak the issue is that I need the headers to be Cache-Control: no-cache, no-store and adding the controller attributes allow me to achieve this everywhere but in pages where there is a form (unless I disable CSRF protection in which case it does work but I am left without protection against that type of attack)

Also, it looks like you closed the issue in both the home and the MVC repos!

univhack picture univhack on 22 Jun 2017

No, this is issue is open.

rynowak picture rynowak on 22 Jun 2017

FYI here's a workaround that someone else found for this in 1.X.Y. We already addressed this issue in 2.0.0 https://github.com/aspnet/Antiforgery/blob/f258be61fd05ff23d286661c58409b1eba004440/src/Microsoft.AspNetCore.Antiforgery/Internal/DefaultAntiforgery.cs#L372

rynowak picture rynowak on 22 Jun 2017
👍2

see https://github.com/aspnet/Antiforgery/issues/116 for the workaround

spottedmahn picture spottedmahn on 22 Jun 2017
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

grahamehorner picture grahamehorner  路  52Comments
johnnyoshika picture johnnyoshika  路  57Comments
pranavkm picture pranavkm  路  35Comments
danroth27 picture danroth27  路  139Comments
simon25608 picture simon25608  路  34Comments