Do ASP.NET MVC CSRF Anti-Forgery Tokens expire?

Question

I am implementing CSRF Anti-Forgery protection in my ASP.NET MVC 5 application. In particular, I am referencing the approach described by Mike Wasson on the ASP.NET website to protect controller methods that respond to AJAX requests, such as in WebAPI controllers. This approach makes use of the AntiForgery.GetTokens method to generate user-based cryptographic anti-forgery tokens, and then AntiForgery.Validate to verify that the submitted tokens belong to the current user.

My question is this: is there a time-to-live for these tokens? Do they expire, and if so, how long are they good for? The documentation is mute on the subject.

I do not want to permit non-expiring tokens in my system. Additionally, I want to communicate to the client how much time they have before requesting a new token is necessary. I can implement expiring tokens, if necessary, using FormsAuthentication.Encrypt; however, if expiration is already built into the AntiForgery class' methods, then I'd like to spare myself the unnecessary complexity.

Answer 1

The idea is that two tokens are generated by every vulnerable HTTP POST and sent directly to the server. Therefore, if you click the "Submit" button on a form, two tokens are generated: a cookie and a form value, both based on the user credentials, as to be read here (nice written article): http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages

The cookie token, that actually can expire is redundant and not necessary for the system except for the case where an anonymous authentication is tried. E.g. see here (first answer): MVC 2 AntiForgeryToken - Why symmetric encryption + IPrinciple?

Still, your other token is not-readable for attackers and these tokens are generated with each new request. Therefore, no need to worry about the expiration date.

Edit: Actually, this all can also be read in the comment section of the article you are referring to (Mike Wasson) ;)