How AntiForgeryToken gets invalidated? I have set up this token to prevent CSRF attacks on my login page and have inspected it with fiddler. When i call GET method the token generates as hidden field
__RequestVerificationToken. When i post login data should this token be changed on next GET call? I catch with fiddler this value with post data and reissue/replay request and this works. Is this good behavior, or this replay should not happen
because token value should not be valid after i leave that form.
KenaGT
0 Points
6 Posts
AntiForgeryToken expiration ASP:NET MVC 3
Feb 20, 2013 04:17 PM|LINK
How AntiForgeryToken gets invalidated? I have set up this token to prevent CSRF attacks on my login page and have inspected it with fiddler. When i call GET method the token generates as hidden field __RequestVerificationToken. When i post login data should this token be changed on next GET call? I catch with fiddler this value with post data and reissue/replay request and this works. Is this good behavior, or this replay should not happen because token value should not be valid after i leave that form.
CPrakash82
All-Star
18314 Points
2851 Posts
Re: AntiForgeryToken expiration ASP:NET MVC 3
Feb 21, 2013 01:23 AM|LINK
Yes.
Yes, it will not be valid after leaving the form.