9

I am using the AntiForgeryToken helper method. From what I understand about the AntiForgeryToken is that it is session base, so that each user has the same token but another user will have a different token (provided that you use the same salts for all of the forms). My "problem" is that AntiForgeryToken is generating different tokens for the same user with the same salt. For example ...

Contoller

public ActionResult Test()
{
    return View();
}

View

@using (Html.BeginForm())
{
    @Html.AntiForgeryToken("Salty!")
}

Output Request #1

<input name="__RequestVerificationToken" type="hidden" value="K1sijFuYvyGUJjGg33OnLjJaU3tFpGFDutRt9TOFSkZ6FcrhJMMQPnOqjIHuTwBXs/sPBXEiE+1qyV9l63nnSO161b+OtLbaBoPC7K3/7wxtnuSY+N0o/fqBgVoDyac4dNVp+OvanKBSrHINKfc3WEg9269BHOJNzFowC6Aeac/afAGTGrBypxUHfqrKVowD" />

Output Request #2

<input name="__RequestVerificationToken" type="hidden" value="mOpP6LMQXnCmjr5/Wdtnhguh3PyZxWj7GWf8LYzZXPKcJBBT+DbAHvynquSD65O0DBw1RKR7DxCNg372ukftCOWms+o75CraMyFMnvjGk7RU+znIQm05eRQvr5H6d/MDyn+0DWm3jLnMBM9GplsgMRqbdAHzSe69/cS2x9A4X/9jFTZQHUWXXHUr0xewF8Rk" />

The keys are different for the same session with the same salt. Do I have a fundamental misunderstanding of CRSF protection? Or is this a new feature?

Stefan Bossbaly
  • 6,682
  • 9
  • 53
  • 82

1 Answers1

7

The anti XSRF token works by encrypting the same random value into a session cookie and onto your form. The session cookies are submited only when you make a post from the form you've generated.

This approach also works e.g. on server farms (in a load balancing scenario) where all servers share the encryption key. The validation works only by comparing the decrypted value from the posted form data and the decrypted value from the posted session cookie. This is called the double submitted cookie method.

So it's pretty normal that each requests gets a different value. This is a nice post about ASP.NET MVC XSRF tokens.

m0sa
  • 10,712
  • 4
  • 44
  • 91
  • So it changes the session data on the server when a new token is issued? All of the values of my cookies are staying the same. I thought that the __RequestVerificationToken_Lw__ cookie value would change. – Stefan Bossbaly Jul 03 '12 at 15:26
  • No, the server sets the cookie on the client. The client then sends the same value twice when posting. Once encoded in the form data and once in the cookie (cookies get trasmited to the server on POST). The server knowns only the encryption key. It doesn't store anything else for anti XSRF purposes. – m0sa Jul 03 '12 at 15:29
  • Any reason not to just store the tokens in session and not ever send it to the client? Something like: AntiForgery.GetTokens(null, out cookieToken, out formToken); return cookieToken + ":" + formToken; Then just store that in session? – Jack Marchetti May 10 '14 at 23:12
  • @Jack this approach doesn't require server state. And even if you save the value it in the user session, you still need to compare it against a posted form value to make sure the request is indeed originating from your site. Otherwise any website (like in another tab) could make a call in the user's session to your site without his knowledge. He'd just have to be logged in and visit a malicious site. – m0sa May 11 '14 at 06:45
  • Does this means for in same session, the __RequestVerificationToken in hidden field will change per request and the same in cookie will remain same. In our QA environment we are experience a situation where the token in hidden field is not changing when we navigate to other pages.What can be the issue for getting same value in hidden field? – Joy George Kunjikkuru May 22 '14 at 23:11