Anti-forgery token is not reused

Question

As I read the anti-forgery system that ASP.NET MVC implements generate a token that can be reused across the same session, my question is why then this token changes every time I generate a new form in my app? I am talking about the hidden input field, not about the cookie value.

Thanks.

Answer 1

No. the token is not reused.

Every page refresh will generate a new value in Form input (and Cookie as well, in case it is invalid or not exist). upon submission, the server will try to match the form value against the Cookie value.

Answer 2

Taken from Professional ASP.NET.MVC 3 book

Token Verifi cation ASP.NET MVC includes a nice way of preventing CSRF attacks, and it works on the principle of verifying that the user who submitted the data to your site did so willingly. The simplest way to do this is to embed a hidden input into each form request that contains a unique value. You can do this with the HTML Helpers by including this in every form:

<form action=”/account/register”
> method=”post”> <@Html.AntiForgeryToken()> … </form>

Html.AntiForgeryToken will output an encrypted value as a hidden input: This value will match another value that is stored as a session cookie in the user’s browser. When the form is posted, these values will be matched using an ActionFilter:

[ValidateAntiforgeryToken] public ActionResult
> Register(…)