Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AntiForgeryToken changes per request

I am using the AntiForgeryToken helper method. From what I understand about the AntiForgeryToken is that it is session base, so that each user has the same token but another user will have a different token (provided that you use the same salts for all of the forms). My "problem" is that AntiForgeryToken is generating different tokens for the same user with the same salt. For example ...

Contoller

public ActionResult Test()
{
    return View();
}

View

@using (Html.BeginForm())
{
    @Html.AntiForgeryToken("Salty!")
}

Output Request #1

<input name="__RequestVerificationToken" type="hidden" value="K1sijFuYvyGUJjGg33OnLjJaU3tFpGFDutRt9TOFSkZ6FcrhJMMQPnOqjIHuTwBXs/sPBXEiE+1qyV9l63nnSO161b+OtLbaBoPC7K3/7wxtnuSY+N0o/fqBgVoDyac4dNVp+OvanKBSrHINKfc3WEg9269BHOJNzFowC6Aeac/afAGTGrBypxUHfqrKVowD" />

Output Request #2

<input name="__RequestVerificationToken" type="hidden" value="mOpP6LMQXnCmjr5/Wdtnhguh3PyZxWj7GWf8LYzZXPKcJBBT+DbAHvynquSD65O0DBw1RKR7DxCNg372ukftCOWms+o75CraMyFMnvjGk7RU+znIQm05eRQvr5H6d/MDyn+0DWm3jLnMBM9GplsgMRqbdAHzSe69/cS2x9A4X/9jFTZQHUWXXHUr0xewF8Rk" />

The keys are different for the same session with the same salt. Do I have a fundamental misunderstanding of CRSF protection? Or is this a new feature?

like image 281
Stefan Bossbaly Avatar asked Jul 03 '12 15:07

Stefan Bossbaly


1 Answers

The anti XSRF token works by encrypting the same random value into a session cookie and onto your form. The session cookies are submited only when you make a post from the form you've generated.

This approach also works e.g. on server farms (in a load balancing scenario) where all servers share the encryption key. The validation works only by comparing the decrypted value from the posted form data and the decrypted value from the posted session cookie. This is called the double submitted cookie method.

So it's pretty normal that each requests gets a different value. This is a nice post about ASP.NET MVC XSRF tokens.

like image 105
m0sa Avatar answered Sep 26 '22 06:09

m0sa