Hi experts,
I have recently run into an interesting issue where anonymous user gets prompt to enter credentials. This occurs only when user navigates to the site, does not log in, waits for 30 minutes and then tries to submit the page. At this moment, s/he gets prompted for credentials. If s/he submitted the form without the 30 minute idle time, all would work without any issue.
The prompt comes because of call to GetUpdatedFormDigest method of_vti_bin/sites.asmx. You can find the call wrapped to JavaScript function namedUpdateFormDigest, which is called from WebForm_OnSubmit. All this JavaScript is generated already by FormOnLoadmethod of Microsoft.SharePoint.WebPartPages.WebPartPage class. More on this can be read also in this blog post.
The forced refresh of form digest actually makes sense to increase security. Where I get lost is why the GetUpdatedFormDigest method of _vti_bin/sites.asmx does not work for anonymous user (it asks for credentials).
The entire behavior can be disabled, the timeout can be modified or set to never expire in Central Administration > Application Management > Web Application General Settings > Web Page Security Validation. The setting in the end lowers
the security for the entire web application. Thus, I would like to know the guidelines:
- is it suggested to set the Security validation expires to Never
for all web applications, that are available to anonymous users?
- different suggestions?
- or do I just have something configured incorrectly?
Looking forward to your comments!
Thanks,
Michal