Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Anti Forgery Token race condition

I have an MVC view that is supposed to be iFramed. And several instances of it might be iFramed in the same host page. In my view I have this:

@Html.AntiForgeryToken()

Which I use to try to make sure calls to a web api are only coming from this page. My host page might look something like this:

<iframe src="http://myserver.com/myview?someparameters=0000"></iframe>
<iframe src="http://myserver.com/myview?someparameters=0001"></iframe>
<iframe src="http://myserver.com/myview?someparameters=0002"></iframe>

In my view I grab the token and submit it in a header so that I can check it in my API:

var headers = actionContext.Request.Headers;
var headerToken = headers.Contains("__RequestVerificationToken") ? headers.GetValues("__RequestVerificationToken").FirstOrDefault() : null;
var cookie = headers.GetCookies("__RequestVerificationToken").FirstOrDefault()?["__RequestVerificationToken"]?.Value;

AntiForgery.Validate(cookie,headerToken);

The problem I'm running into is that in my host page, all three views are getting loaded in parallel. As a result they all get their own random token in a hidden field and try to set the cookie. But while there can be three separate independent hidden input tokens, there can be only one cookie. So of the three requests, two will fail and one will succeed. A reload of the page will have all three working again, presumably because they are all getting the same anti-forgery token at this point (because it belongs to the session - if I understand this correctly).

So how can I avoid this? How can I make sure they all get the same token?

like image 421
Matt Burland Avatar asked Jun 28 '17 20:06

Matt Burland


People also ask

When should I use anti-forgery token?

To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.

How do you validate anti-forgery tokens?

To use it, decorate the action method or controller with the ValidateAntiForgeryToken attribute and place a call to @Html. AntiForgeryToken() in the forms posting to the method.

What is the Antiforgery token could not be decrypted?

The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.

How long is AntiForgeryToken valid?

Sets the antiforgery token expiration time to ~1 year.


1 Answers

try using partialview. in each partial view you can use your iFrames and all partail views will be added to main .cshtml file having Html.AntiForgeryToken()

@Html.AntiForgeryToken()

<div>    
    @{Html.RenderPartial("_iFrame1");}
</ div>
<div>    
    @{Html.RenderPartial("_iFrame2");}
</ div>
<div>    
<div>
@{Html.RenderPartial("_iFrame3");}
</ div>
like image 127
Laxmikant Avatar answered Sep 28 '22 01:09

Laxmikant