Geek Answers Handbook

Why does the hidden AntiForgeryToken field not match its cookies on my machine?

I just quickly tested a simple ASP.NET MVC 3 example by changing the default form for LogOn. According to this article , both the __RequestVerificationToken hidden field and the __RequestVerificationToken_Lw__ cookies must contain the same value generated by Html.AntiForgeryToken() . But this is not entirely true when I received them in Fiddle, by the way, looking at the source code of MVC 3, the GetAntiForgeryTokenAndSetCookie method did not seem to use the salt value to generate cookies. Was there any change in MVC 3?

I forgot to say that I could still successfully log in with a regular or AJAX POST request.

Here is the source log from Fiddle:

 POST http://localhost:51713/Account/LogOn HTTP/1.1 Referer: http://localhost:51713/Account/LogOn Content-Length: 256 Origin: http://localhost:51713 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Cookie: __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA= __RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false / zr6NoiIvVF73Bq8ahbFaY / IrNrWY7mmzvO9j / XVLNN2lNqgCd6I3UGZAw3 / nlOmpA = POST http://localhost:51713/Account/LogOn HTTP/1.1 Referer: http://localhost:51713/Account/LogOn Content-Length: 256 Origin: http://localhost:51713 X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Cookie: __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA= __RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false
+7
source share
2 answers

what makes you think that they should be the same? :) Of course, they should compare me in some way, but this does not mean that they should look the same in their serialized form. There is another set of data serialized in a cookie (I think it's just salt and token) and HTML markup (salt, token, creation time, username).

If you are interested in the details, take ILSpy and look for the methods System.Web.Mvc.AntiForgeryDataSerializer , System.Web.Mvc.AntiForgeryData and OnAuthorization System.Web.Mvc.ValidateAntiForgeryTokenAttribute

+2
source

The article you are referring to in your question is simply incorrect, because the token of the hidden anti-fake field will never be the same as the anti-fake cookie value.

The added value of my answer is a link to an interesting article that describes the inside of the ASP.NET anti-fake token. It, among other things, provides clear steps for decoding and decrypting the cookie marker / form:

 BitConverter.ToString(System.Web.Helpers.AntiXsrf.MachineKey45CryptoSystem.Instance.Unprotect(tokenValue))

... and the next steps to match cookie tokens and form.

+1
source

More articles:


All Articles