AntiForgeryToken 在幕后如何工作？

Question

I know the basics of CSRF and AntiForgeryToken .

I also know that there are many similar questions around but none seemed to describe the implementation details, which is the part I'm interested in.

Each time you call Html.AntiForgeryToken() , it generates a new random token :

1. Can I have multiple active tokens at the same time? (I assume it's yes here)
2. Can I use any of those tokens in another form? (I assume it's yes here)
3. Can I use the same token more than once?
4. Is there a security reason why the token is random everytime? Couldn't it be the same token for the whole session?

The token is stored in a cookie

4. When I have multiple forms and tokens in my page, does it mean I have multiple cookies or only 1 cookie containing all the active tokens?

Also...

5. How is the token generated and is it possible to validate it manually.

Answer 1

1.Can I have multiple active tokens at the same time? (I assume it's yes here)

-> Yes.

2.Can I use any of those tokens in another form? (I assume it's yes here)

-> Yes.

3.Can I use the same token more than once?

-> Short answer is yes you can. Long answer: It depends on multiple factors, you would have to regenerate the token if,

Your cookie expires
Your user identity has changed.       
Your additional data provider has decided that your token is no  
longer valid.

4.Is there a security reason why the token is random every time? Couldn't it be the same token for the whole session?

-> You don't want anyone to be able to predict your token. Remember there is no inbuilt auto expiration of the cookie token.

1.When I have multiple forms and tokens in my page, does it mean I have multiple cookies or only 1 cookie containing all the active tokens?

-> At any given point of time there would be only one cookie that will be active for a session, that cookie has a SecurityToken property. Every valid anti-forgery token on the page would have the same SecurityToken (otherwise it would fail validation).

1.How is the token generated and is it possible to validate it manually.

I would suggest to read the post explaining the internals here and code here

I am actually thinking why would you need to use the same anti-forgery token across forms.. it might be helpful if you share your scenario.

Answer 2

对于最后一个问题，您可以使用以下内容验证 AntiForgeryTokens：

System.Web.Helpers.AntiForgery.Validate(cookie.Value, formValue);

Answer 3

Answering in terms of ASP.NET Core just in case anyone stumbles upon this post from Google.

The following is based off this article :

Can I have multiple active tokens at the same time?

Yes. If you have two tabs open and hit the same URL that returns to you a page with a form containing an antiforgery token, you'll have a different token in the HTML on each page. But you'll have the same token in your cookie.

Can I use any of those tokens in another form?

Yes. You can test this by hitting the URL in two tabs, open Developer Options and swap out the tokens, and the application won't know any better.

Can I use the same token more than once?

Yes. As long as the token in the HTML was generated along with your cookie, then if you're using the same cookie, you could use the same token in your HTML as before.

Is there a security reason why the token is random everytime? Couldn't it be the same token for the whole session?

See the accepted answer by Harsh Gupta.

When I have multiple forms and tokens in my page, does it mean I have multiple cookies or only 1 cookie containing all the active tokens?

See the accepted answer by Harsh Gupta.

How is the token generated and is it possible to validate it manually.

Here is a summary from the article I linked above:

• Build a byte array using a random number generator.

• Generate a unique array based on step 1.

• Encrypt the array.

• Prepend a magic header and the defaultKeyId to the encrypted array.

• Base64URL encode the encrypted array and use this as the token string.