c# - Anti forgery token on login page

Question

I have implemented antiforgery token on my login page.

Now I had one user pressing back key on the keyboard, and when they click on login button again after filling their credentials, they get error page.

Is there some better way of handeling this case like redirect them to fresh login page?

Page that is login page is :/account/logon

If login details are sucessfull the user is redirected to :Home/Index page on which the user pressed button back.

Answer 1

Don't implement the ASP.NET AntiForgeryToken on your login page. The token is based on a username among other criteria and a login page assume the attacker already has credentials to a system in order to be able to exploit csrf on that page.

However, you should use some form of CSRF protection on your login page - see https://security.stackexchange.com/a/2126/51772