configure antiforgerytoken single use mvc asp.net

Question

I want to modify the AntiForgeryToken for each request.

I read these posts:

• Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification?
• ASP.NET MVC Anti Forgery Token Insecure

The initial post clearly rules it out, but the latter seems to mention that it is "quite simple". However I did not quite get how to achieve single use for the token.

Under my current implementation I have tokens delivered as Secure http-only cookies. But it stays constant for the entire session. I don't care if my implementation breaks the back button. Any suggestions?

Answer 1

Since we don't have your example not sure how you are using this, but a simple form like this does display a new token on every request in the form

@using (Html.BeginForm()) {
@Html.AntiForgeryToken()
@Html.ValidationSummary(true)<fieldset>
    <legend>Person</legend>

    <div class="editor-label">
        @Html.LabelFor(model => model.Name)
    </div>
    <div class="editor-field">
        @Html.EditorFor(model => model.Name)
        @Html.ValidationMessageFor(model => model.Name)
    </div>

    <div class="editor-label">
        @Html.LabelFor(model => model.Address)
    </div>
    <div class="editor-field">
        @Html.EditorFor(model => model.Address)
        @Html.ValidationMessageFor(model => model.Address)
    </div>

    <p>
        <input type="submit" value="Save" />
    </p>
</fieldset> }

Form above shows me different values in each request like

<input name="__RequestVerificationToken" type="hidden" value="53WW641jzT5QWcIrrLltqF0OGt79US1eBwue1MQU6lW200CxUiD6fcC949RZee4gcNrFNnaP5QYFi6lJd_QmuUqSfex7wWHwWjUC30_kVrI1" />

<input name="__RequestVerificationToken" type="hidden" value="QXHlA8N9g_95YbPeEpjPHhjQFV9IMNJf7eEdnPnADH9BPgQg_DQQKQqf9diPAxMQWJoBcT6FeXCIECe-Qd6Q6wA5BimVlU9K0C67nokzuXQ1" />

There is more information on SO here which also references to other detailed information outside here