Why is AntiForgeryToken's hidden field not same as its cookies on my machine?
https://stackoverflow.com/questions/7186253
-
12-01-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian質問
I just did a quick test with a simple ASP.NET MVC 3 sample by modifying default LogOn form. According to this article, both hidden field __RequestVerificationToken and cookies __RequestVerificationToken_Lw__ must contain same value that generated by Html.AntiForgeryToken(). But it isn't exactly same when I got them in Fiddle, by the way, looking at MVC 3 source code, method GetAntiForgeryTokenAndSetCookie seemed not use salt value for generating the cookies. Was there any change in MVC 3?
Forgot to say that I could still log on successfully with both normal or Ajax POST request.
Here is raw log from Fiddle:
POST http://localhost:51713/Account/LogOn HTTP/1.1
Referer: http://localhost:51713/Account/LogOn
Content-Length: 256
Origin: http://localhost:51713
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA=
__RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false
解決
what makes you think they should be the same ? :) of course, they must me comparable in some way, but that doesnt mean they must look identical in their serialized form. There is different set of data serialized to cookie (i think only the "salt" and token) and to HTML markup (salt, token, creation time, username).
If you are interested in details, take ILSpy and look for System.Web.Mvc.AntiForgeryDataSerializer, System.Web.Mvc.AntiForgeryData and OnAuthorization method of System.Web.Mvc.ValidateAntiForgeryTokenAttribute
他のヒント
The article you are referencing in your question is simply wrong, because the hidden field anti forgery token will never be the same as anti forgery cookie value.
Added value of my answer is the link to interesting article which describes ASP.NET anti-forgery token internals. It, among others, provides clear steps to decode and decrypt cookie/form token:
BitConverter.ToString(System.Web.Helpers.AntiXsrf.MachineKey45CryptoSystem.Instance.Unprotect(tokenValue))
... and subsequent steps in order to match the cookie and form tokens.
