Is it possible to change the AntiForgeryToken value in ASP.NET MVC after each check?

Question

Is it possible to change the AntiForgeryToken value in ASP.NET MVC after each check?

We just had penetration testing performed in an application that we created using ASP.NET MVC, and one of the recommendations that came back was that the AntiForgeryToken value in the form can be resubmitted and does not expire after one use.

According to the OWASP recommendation around the synchronizer marker template:

"In general, developers only need to generate this token once for the current session."

This is how I think ASP.NET MVC AntiForgeryToken works.

If we need to fight the battle, is it possible to get AntiForgeryToken to restore a new value after each check?

+3

security asp.net-mvc antiforgerytoken

jmcd Feb 08 '10 at 9:51

source share

2 answers

Perhaps you can use AntiForgeryToken using three parameter constructors .

The use of salt is always recommended, but also restricting the token by domain and path will make your token more secure and unique for each page.

~~XSS, -:)~~// ? , .

!

-1

Pedro Laguna 08 . '10 11:58

Levi · Accepted Answer · 2010-04-23T16:47:36+0000

The anti-fake symbol is only an anti-XSRF token. In particular, it is not a one-time nonce. If you need a one-time nonce application for your application, you cannot use the anti-fake token for this purpose. There are no built-in functions for this.

Is it possible to change the AntiForgeryToken value in ASP.NET MVC after each check?

More articles: