Antiforgery tokens are reusable Antiforgery tokens are reusable asp.net asp.net

Antiforgery tokens are reusable


c# asp.net asp.net-mvc csrf antiforgerytoken

The customer eventually agreed that the Antiforgery implementation of ASP.NET is sufficient.Just for fun I wanted to extend Antiforgery to meet the invalidation requirement.

The Antiforgery library has one extensibility point: IAntiforgeryAdditionalDataProvider (Core) and IAntiForgeryAdditionalDataProvider (pre-Core)

In ASP.NET MVC (pre-Core) you can set this on startup.

using System.Web;using System.Web.Helpers;// ...namespace AntiForgeryStrategiesPreCore{    public class MvcApplication : HttpApplication    {        protected void Application_Start()        {            // ...            AntiForgeryConfig.AdditionalDataProvider = new MyAdditionalDataProvider();        }    }}

For ASP.NET Core you need to register your IAntiforgeryAdditionalDataProvider as a service. If you don't it will use the DefaultAntiforgeryAdditionalDataProvider (source) which does nothing.

using System;using Microsoft.AspNetCore.Antiforgery;using Microsoft.AspNetCore.Builder;using Microsoft.AspNetCore.Hosting;using Microsoft.Extensions.Configuration;using Microsoft.Extensions.DependencyInjection;using Microsoft.Extensions.Logging;namespace AntiForgeryStrategiesCore{    // ...    public class Startup    {        // This method gets called by the runtime. Use this method to add services to the container.        public void ConfigureServices(IServiceCollection services)        {            services.AddSingleton<IAntiforgeryAdditionalDataProvider, SingleTokenAntiforgeryAdditionalDataProvider>();            // ...        }    }    // ...}

Now you can add additional data to your Antiforgery token which will be encypted into your cookie and and form field.Here's a MVC Core example that holds on to a single token in Session, and removes it after usage.

using Microsoft.AspNetCore.Antiforgery;using Microsoft.AspNetCore.Http;namespace AntiForgeryStrategiesCore{    public class SingleTokenAntiforgeryAdditionalDataProvider : IAntiforgeryAdditionalDataProvider    {        private const string TokenKey = "SingleTokenKey";        public string GetAdditionalData(HttpContext context)        {            var token = TokenGenerator.GetRandomToken();            context.Session.SetString(TokenKey, token);            return token;        }        public bool ValidateAdditionalData(HttpContext context, string additionalData)        {            var token = context.Session.GetString(TokenKey);            context.Session.Remove(TokenKey);            return token == additionalData;        }    }}

This isn't recommended because when you open multiple tabs with multiple forms, only one of the forms will have the valid token in session, and the other will fail. That's why I made one that holds on to multiple tokens.You can find that AdditionalDataProvider and others on GitHub (Time based, Queue based).

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last