how does ASP.NET validate anti-forgery token

asp.net security xss antiforgerytoken
Steve picture Steve · Oct 29, 2014 · Viewed 28.6k times · Source

I wonder how does ASP.NET check if an anti-forgery token is valid or not? Like where is ASP.NET storing those tokens? And how are they stored?

Answer

TeamTam picture TeamTam · Oct 29, 2014

The short version is that a generated token is stored in 2 places: (a) cookie (b) hidden form value. When the form is submitted, these 2 values are compared against each other to determine if they are valid. For further reading:

http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks http://www.codeproject.com/Articles/793384/ASP-NET-Anti-Forgery-Tokens-internals

Related questions

How to properly sanitize content with AntiXss Library?

I have a simple forums application, when someone posts any content, i do: post.Content = Sanitizer.GetSafeHtml(post.Content); Now, i am not sure if i am doing something wrong, or what is going on, but it does not allow …

Read More
What are all the user accounts for IIS/ASP.NET and how do they differ?

Under Windows Server 2008 with ASP.NET 4.0 installed there is a whole slew of related user accounts, and I can't understand which one is which, how to they differ, and which one is REALLY the one that my app runs under. …

Read More
X-Frame-Options Allow-From multiple domains

I have an ASP.NET 4.0 IIS7.5 site which I need secured using the X-Frame-Options header. I also need to enable my site pages to be iframed from my same domain as well as from my facebook app. Currently I have …

Read More