Why is AntiForgeryToken's hidden field not same as its cookies on my machine?
I just did a quick test with a simple A开发者_Go百科SP.NET MVC 3 sample by modifying default LogOn form. According to this article, both hidden field __RequestVerificationToken
and cookies __RequestVerificationToken_Lw__
must contain same value that generated by Html.AntiForgeryToken()
. But it isn't exactly same when I got them in Fiddle, by the way, looking at MVC 3 source code, method GetAntiForgeryTokenAndSetCookie
seemed not use salt value for generating the cookies. Was there any change in MVC 3?
Forgot to say that I could still log on successfully with both normal or Ajax POST request.
Here is raw log from Fiddle:
POST http://localhost:51713/Account/LogOn HTTP/1.1
Referer: http://localhost:51713/Account/LogOn
Content-Length: 256
Origin: http://localhost:51713
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA=
__RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false
what makes you think they should be the same ? :) of course, they must me comparable in some way, but that doesnt mean they must look identical in their serialized form. There is different set of data serialized to cookie (i think only the "salt" and token) and to HTML markup (salt, token, creation time, username).
If you are interested in details, take ILSpy and look for System.Web.Mvc.AntiForgeryDataSerializer
, System.Web.Mvc.AntiForgeryData
and OnAuthorization
method of System.Web.Mvc.ValidateAntiForgeryTokenAttribute
The article you are referencing in your question is simply wrong, because the hidden field anti forgery token will never be the same as anti forgery cookie value.
Added value of my answer is the link to interesting article which describes ASP.NET anti-forgery token internals. It, among others, provides clear steps to decode and decrypt cookie/form token:
BitConverter.ToString(System.Web.Helpers.AntiXsrf.MachineKey45CryptoSystem.Instance.Unprotect(tokenValue))
... and subsequent steps in order to match the cookie and form tokens.
精彩评论