AntiForgeryTokens vs Caching vs Widgets

Topics: Core, General
Nov 6, 2013 at 2:23 PM

I'm having problems with forms that are placed in a widget.

Dropping the antiforgerytokens altogether is not possible, apparently. Yes, you can disable it in your module.txt file, but when users are authenicated this setting is ignored.

This leaves me with only one option: using Html.BeginFormAntiForgeryPost() in my widget.

However, when caching is enabled, the code in my widget still runs, throwing an exception: "Server cannot modify cookies after HTTP headers have been sent". If I turn off caching, all works fine.

I'm not sure how to continue.

I can't disable antiforgerytokens because we can have authenticated users.
I can't disable caching because this widget is on every page.

Any advice?
Nov 6, 2013 at 2:38 PM
I thought, when OutputCache is enabled and a request hits the cache, the widget code, razor view or driver, is not supposed to be executed, but the whole page is supposed to be served from cache. Why is not so?