Last post Apr 08, 2019 08:57 AM by Titto Thomas
Mar 29, 2019 05:15 PM|Chris.Thompson|LINK
I am working on a project which uses MVC5 in an SPA fashion. We have recently noticed an issue with the Anti Forgery Token system now that we have applied it to most of the Areas in our site. The issue occurs when a user does some work in one tab, and then
opens a new tab in the same browser in order to go do something else (often, it is to view data on a different page).
This causes our anti forgery tokens to sometimes overwrite each other, leading to some form of race condition that leaves one of the tabs with an invalid anti forgery token.
Based on my reading of the following posts:
I have attempted to fix the problem by adding an Anti Forgery Token (using Html.AntiForgeryToken()) to the initial home page of the site once a user has logged in. In our brief testing so far, it seems to have solved the issue. However, I am not a security
expert, so I do not know if there is an underlying problem with this approach that will open us back up to CSRF attacks.
Is there any concerns with solving this problem in this fashion?
Apr 01, 2019 02:29 AM|Ackerly Xu|LINK
Hi Chris.Thompson ,
It seems that your website uses the same csrf token.
Generally speaking, other websites could hardly get the token which is in your website's page because of cross-origin-policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
However , the longer the token stays on the site, the more likely it is to be stolen by other sites.
If your website need absolute safety , you had better not do that for temporary convenience.
If the data of your user is relatively not so import, you could consider using this way, because after all other website has few ways to get your website's token which is stored in your website's hidden field.
Apr 08, 2019 08:57 AM|Titto Thomas|LINK
As you have mentioned that you developed this application in a SPA fashion, I guess you are using "Authorization" header for sending authentication token along with all requests. If so, you don't even need to worry about CSRF attack because CSRF will
be applicable only to Cookie based web applications.
Reference : https://security.stackexchange.com/questions/170388/do-i-need-csrf-token-if-im-using-bearer-jwt/170405#170414