I am currently working on an ASP.NET MVC 4 application. We use the provided [ValidateAntiForgeryToken] and the corresponding @Html.AntiForgeryToken() to create a hidden field in our forms that are submitted using POST.
So far, the mechanism is working correctly, because if I did not provide the token as a hidden input for the target Action annotated with [ValidateAntiForgeryToken] , the error occurs as expected.
However, it seemed strange to me that if I captured several generated tokens using Firebug or the Chrome inspector, copy them to notepad, and then go to another page that also uses AntiForgeryToken and basically replaces the hidden field with any of the previous generated tokens, the error is not arises. I expected that it would always have a 1: 1 ratio (Hidden Field Page - ValidationAtServer], because if someone can get this value, he will be able to fake any request into any form of the application that requires AntiForgeryToken
I got the impression that after creating the token it should not be possible to reuse the same token for more, I see that this is a security error in the Framework itself.
If someone can provide a deeper understanding, he will be very grateful.
source share