Question
How AntiForgeryToken gets invalidated? I have set up this token to prevent CSRF attacks on my login page and have inspected it with fiddler. When i call GET method the token generates as hidden field __RequestVerificationToken. When i post login data should this token be changed on next GET call? I catch with fiddler this value with post data and reissue/replay request and this works. Is this good behavior, or this replay should not happen because token value should not be valid after i leave that form.
Thanks in advance.
Solution
The token is tied to a session cookie; when the session goes away and the cookie disappears the token will be rendered invalid. The reason replays work in Fiddler is that Fiddler is capturing (and replaying) both the session cookie and the form token.
You could simulate session expiration by removing the request's Cookie header from within Fiddler before replaying. The server should then reject the form's __RequestVerificationToken field.
https://stackoverflow.com/questions/14985868
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian