0

I can't get why during validation MVC takes into account not only form field but also a cookie with the same information. Looked through different SO answers and blogs but couldn't find the answer.

For instance, victim can transfer money on a http://bank.com using his authentication cookie. Then an attacker send an email to a victim with such an image <img src="http://bank.example.com/withdraw?account=Alice&amount=1000000&for=Mallory">. Why just not to prevent the malicious request by comparing only the form field "__RequestVerificationToken" with some hash? Using the cookie seems to me a bit extra-stuff. Could you provide some scenario which "break" my hunch?

myroman
  • 561
  • 1
  • 5
  • 11
  • 1
    Having the CSRF token in a cookie is just an easy way to add the value to the form too. e.g. JavaScript can programmatically add the value to each form on the page or each AJAX request without the need for it to be manually coded each time. – SilverlightFox Mar 28 '14 at 14:34
  • Also see: http://stackoverflow.com/a/20518324/413180 – SilverlightFox Mar 29 '14 at 09:58
  • @SilverlightFox if it's just an easy way, it makes sense, really – myroman Mar 31 '14 at 06:28

0 Answers0