Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Lifetime and multiple use of an AntiForgeryToken?

I'm trying to implement antiforgerytokens to an angular application's ajax requests.

Is there a lifetime attached with the antiforgerytoken? If I have the app open for a long while in a web browser whithout touching it, say for a month. Will the ajax requests fail due to a stale token?

Can the token be reused for multiple calls? Can I keep one token somewhere in the page and retrieve it for all ajax calls?

like image 995
Carl R Avatar asked Aug 12 '13 10:08

Carl R


1 Answers

Indeed API are supposed to be consumed by 3rd parties, but what's regarding Single Page interfaces with AFT?

I'm concerned they still require AFT in order to prevent CSRF atacks. And here is a good way to use them in Ajax requests.

Antiforgery token is generated per Session, and remains in session data till it's expired. For new session new token will be generated. And yes, single token can be reused multiple times within the same session.

Please check the link I've added, there is example of how token might be obtained for Ajax requests.

like image 106
Johnny_D Avatar answered Nov 09 '22 07:11

Johnny_D