Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AntiForgery.GetTokens: what is the purpose of the oldCookieToken parameter?

Tags:

We're writing an iOS mobile app in objective-c that makes posts to our ASP.NET MVC server app. On iPhone, the HTTP stack (and cookies etc) appear to be shared with Safari. This leaves us open to XSRF attacks, so unless I'm mistaken we need to protect the POSTs with anti-forgery tokens and protect our controller methods with ValidateAntiForgeryTokenAttribute.

I'll qualify this question by saying that I don't properly understand the mechanism by which the antiforgery tokens are generated and verified... in particular, the term 'nonce' used in this context is somewhat mystical.

Because we're not delivering HTML to the client, we can't use the standard @Html.AntiForgeryToken(), so instead we have to use AntiForgery.GetTokens to acquire and distribute the tokens to our clients. This has a mysterious first parameter: oldCookieToken. At the moment, I just set it to null and everything seems to work fine. So can anyone tell me... what is the use of supplying the old token to the token generating algorithm? If only a single token is issued to our iOS app and reused for multiple posts, is this going to be problematic?

like image 231
spender Avatar asked Apr 24 '13 12:04

spender


People also ask

What is the Antiforgery token used for?

To prevent CSRF attacks, use anti-forgery tokens with any authentication protocol where the browser silently sends credentials after the user logs in. This includes cookie-based authentication protocols, such as forms authentication, as well as protocols such as Basic and Digest authentication.

How is Antiforgery token validated?

Require antiforgery validationThe ValidateAntiForgeryToken attribute requires a token for requests to the action methods it marks, including HTTP GET requests. If the ValidateAntiForgeryToken attribute is applied across the app's controllers, it can be overridden with the IgnoreAntiforgeryToken attribute.

What is the Antiforgery token could not be decrypted?

Error: The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the <machineKey> configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster.


1 Answers

AntiForgery.GetTokens will try to reuse the old cookie token for validation purposes. So if you already have a validation token you want to reuse, it will attempt to use it instead of generating a new one. If the old token is invalid, it will generate a new one and use it instead.

So passing null to oldCookieToken is valid. It simply tells GetTokens to always generate a new cookie token.

like image 93
John Stanley Avatar answered Sep 28 '22 15:09

John Stanley