Mvc: Posting from one Razor Page to another results in a 400 Bad Request
I noticed that the Razor Pages template that includes authentication makes use of a controller for logging out rather than, say, a logout.cshtml (e.g. https://github.com/DamianEdwards/RazorPagesSample/blob/master/RazorPagesWebApplication/Pages/Account/Logout.cshtml). I tried to change it to use a logout.cshtml page and discovered that posting from one page to another (setting the "action" attribute of a form) results in a 400 status code when the form is submitted.
I am interested in learning if this is by design, and if so, why? Does it have something to do with AntiForgery checks, which I appreciate is disabled if you explicitly set the action on a form element?
mikebrind
All 5 comments
This is almost certainly a missing antiforgery token (logs would confirm that). Razor Pages always validates an antiforgery token on a POST.
If you're using the form tag helper, you can use asp-page="/some/other/page" for linking rather than action.
rynowak
on 22 Aug 2017
Thanks.
Do you know why a controller was included in the template?
mikebrind
on 23 Aug 2017
I assume that you're talking about this one: https://github.com/aspnet/Templates/blob/dev/template_feed/Microsoft.DotNet.Web.ProjectTemplates.2.0/content/RazorPagesWeb-CSharp/Controllers/AccountController.cs
I'm actually not sure. @danroth27 do you know? Is this a mistake?
rynowak
on 23 Aug 2017
There's no UI for the logout action, so a page doesn't really make sense. We decided to use controller actions for endpoints that have no associated UI.
@davidfowl @DamianEdwards
danroth27
on 26 Aug 2017
Yep, this was by design.
davidfowl
on 26 Aug 2017
Related issues
mdmoura
路
33Comments
MicahZoltu
路
37Comments
angelsix
路
61Comments
dotnetjunkie
路
43Comments
eat-sleep-code
路
40Comments
Most helpful comment
Thanks.
Do you know why a controller was included in the template?