I know that Stack Exchange sites do not use the ASP.NET MVC built-in @Html.AntiForgeryToken()
for the prevention of XSRF/CSRF attacks. Instead of creating a hidden input named __RequestVerificationToken
with a really long value based on the machineKey section of the web.config, the Stack Exchange method creates an input named fkey
with a MUCH more succinct value. This is apparently a Guid, and based on evidence from the Stack Exchange Data Explorer project on Google Code, this value is tied to each individual user, remaining fairly constant until you log in or out.
Also, the Stack Exchange value is constant on a page, and is made available to client script, so that Ajax posts for voting and things like that also use the token. By contrast
So why does Stack Exchange march to its own drummer?
I've been unable to find any blog posts from Jeff or others on the Stack Exchange team to explain the guiding principles behind how the XSRF-prevention policy on the SE network. It would be really nice if one of them could do a write-up, assuming of course that it could be done in general terms without creating a vulnerability. It would be really valuable information for those of us that want to make our websites secure, but aren't entirely comfortable just blindly trusting Microsoft to do it for us.
The one limitation we ran into with the default implementation was the lack of out-of-the-box support for AJAX calls. The hidden field approach works for sites that primarily deal with traditional form POSTs; but, not quite for AJAX heavy sites like SO.
We implemented the approach outlined in this CodeThinked blog post and we couldn't be happier. It looks like Phil Haack also supports this approach, based on his oct 2011 blog post
Couple of (unsolicited, I know!) pointers:
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With