Menu
I am learning
CSRF prevention techniques
and it is mentioned that
Antiforgerytoken
is one of the ways to prevent it. In an ASP.NET MVC application we can use the Html Helper to add the token.
When I use fiddler I notice that the value of the token in the hidden form input tag and the value in the Cookie of the same name are different. Is this how it is supposed to be?
In that case how does the ASP.NET framework take care to find that the request is not forged.
Hope my question is clear.
891
There is different set of data serialized to cookie (the "salt" and token) and to HTML markup (salt, token, creation time, username). They are different but still comparable.
Some more detailed explanation:
MVC's cookies have internal structure, so their serialized version looks different. The actual security token that is inside should be identical. The serializer stores different information, depending on what information is present (user identity name, etc.). There is also a version byte, an indicator whether this is a session cookie, etc.
164
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
