Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is AntiForgeryToken's hidden field not same as its cookies on my machine?

I just did a quick test with a simple ASP.NET MVC 3 sample by modifying default LogOn form. According to this article, both hidden field __RequestVerificationToken and cookies __RequestVerificationToken_Lw__ must contain same value that generated by Html.AntiForgeryToken(). But it isn't exactly same when I got them in Fiddle, by the way, looking at MVC 3 source code, method GetAntiForgeryTokenAndSetCookie seemed not use salt value for generating the cookies. Was there any change in MVC 3?

Forgot to say that I could still log on successfully with both normal or Ajax POST request.

Here is raw log from Fiddle:

POST http://localhost:51713/Account/LogOn HTTP/1.1
Referer: http://localhost:51713/Account/LogOn
Content-Length: 256
Origin: http://localhost:51713
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA=

__RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false
like image 749
Tien Do Avatar asked Aug 25 '11 06:08

Tien Do


People also ask

How do you fix Anti-forgery cookies?

The common “possible solutions” to anti-forgery token/cookie related issues are disabling output caching and enabling heuristic checks.

How does AntiForgeryToken work in MVC?

AntiforgeryToken used for validating the post request. So if we access an MVC or RazorPages view which contains the form element with an attribute 'method="post"' then the view gets rendered with an automatic generated AntiforgertyToken value, which gets injected into the form as hidden input field.

What is __ Requestverificationtoken cookie?

__RequestVerificationToken Session www.ese-hormones.org Strictly Necessary This is an anti-forgery cookie set by web applications built using ASP.NET MVC technologies. It is designed to stop unauthorized posting of content to the website, known as Cross-Site Request Forgery.


2 Answers

what makes you think they should be the same ? :) of course, they must me comparable in some way, but that doesnt mean they must look identical in their serialized form. There is different set of data serialized to cookie (i think only the "salt" and token) and to HTML markup (salt, token, creation time, username).

If you are interested in details, take ILSpy and look for System.Web.Mvc.AntiForgeryDataSerializer, System.Web.Mvc.AntiForgeryData and OnAuthorization method of System.Web.Mvc.ValidateAntiForgeryTokenAttribute

like image 137
rouen Avatar answered Sep 19 '22 12:09

rouen


The article you are referencing in your question is simply wrong, because the hidden field anti forgery token will never be the same as anti forgery cookie value.

Added value of my answer is the link to interesting article which describes ASP.NET anti-forgery token internals. It, among others, provides clear steps to decode and decrypt cookie/form token:

BitConverter.ToString(System.Web.Helpers.AntiXsrf.MachineKey45CryptoSystem.Instance.Unprotect(tokenValue))

... and subsequent steps in order to match the cookie and form tokens.

like image 39
Michal Hosala Avatar answered Sep 22 '22 12:09

Michal Hosala