Geek Answers Handbook

Default Changes for AntiForgeryToken

I use the helper method AntiForgeryToken . What I understand about AntiForgeryToken is that it is a session database, so each user has the same token, but the other user will have a different token (assuming you use the same salts for all forms) . My β€œproblem” is that AntiForgeryToken creates different tokens for the same user with the same salt. For example...

regulator

 public ActionResult Test() { return View(); }

View

 @using (Html.BeginForm()) { @Html.AntiForgeryToken("Salty!") }

Output Request No. 1

 <input name="__RequestVerificationToken" type="hidden" value="K1sijFuYvyGUJjGg33OnLjJaU3tFpGFDutRt9TOFSkZ6FcrhJMMQPnOqjIHuTwBXs/sPBXEiE+1qyV9l63nnSO161b+OtLbaBoPC7K3/7wxtnuSY+N0o/fqBgVoDyac4dNVp+OvanKBSrHINKfc3WEg9269BHOJNzFowC6Aeac/afAGTGrBypxUHfqrKVowD" />

Output Request No. 2

 <input name="__RequestVerificationToken" type="hidden" value="mOpP6LMQXnCmjr5/Wdtnhguh3PyZxWj7GWf8LYzZXPKcJBBT+DbAHvynquSD65O0DBw1RKR7DxCNg372ukftCOWms+o75CraMyFMnvjGk7RU+znIQm05eRQvr5H6d/MDyn+0DWm3jLnMBM9GplsgMRqbdAHzSe69/cS2x9A4X/9jFTZQHUWXXHUr0xewF8Rk" />

The keys are different for the same session with the same salt. Do I have a fundamental misunderstanding of CRSF protection? Or is this a new feature?

+8
security c # asp.net-mvc csrf
source share
1 answer

The XSRF ant token works by encrypting the same random value in the session cookie and on your form. Session cookies are only sent when you create a message from the form you created.

This approach also works, for example, on server farms (in a load balancing scenario), where all servers use an encryption key. Verification is performed only by comparing the decrypted value from the data of the hosted form and the decrypted value from the published session cookie. This is called the double sent cookie method .

So, it is normal that each request gets a different value. This is a good article on ASP.NET MVC XSRF tokens.

+5
source share

More articles:


All Articles