MVC 2 AntiForgeryToken - Why symmetric encryption + IPrinciple?

前端 未结 2 1260
梦如初夏
梦如初夏 2021-02-15 16:54

We recently updated our solution to MVC 2, and this has updated the way that the AntiForgeryToken works. Unfortunately this does not fit with our AJAX framework any

2条回答
  •  孤独总比滥情好
    2021-02-15 17:39

    Besides the "evil subdomain"-scenario outlined by Levi, consider an attacker that has an account on the targeted site. If the CSRF-token does not encode user-specific information, the server can not verify that the token has been generated exclusively for the logged-in user. The attacker could then use one of his own legitimately acquired CSRF-tokens when building a forged request.

    That being said, anonymous tokens are during certain circumstances accepted by ASP.NET MVC. See Why does ValidateAntiForgeryTokenAttribute allow anonymous tokens?

提交回复
热议问题