Is it possible to make the AntiForgeryToken value in ASP.NET MVC change after each verification?

Posted by jmcd on Stack Overflow See other posts from Stack Overflow or by jmcd
Published on 2010-02-08T09:51:28Z Indexed on 2010/04/23 16:53 UTC
Read the original article Hit count: 511

We've just had some Penetration Testing carried out on an application we've built using ASP.NET MVC, and one of the recommendations that came back was that the value of the AntiForgeryToken in the Form could be resubmitted multiple times and did not expire after a single use.

According to the OWASP recommendations around the Synchronizer Token Pattern:

"In general, developers need only generate this token once for the current session."

Which is how I think the ASP.NET MVC AntiForgeryToken works.

In case we have to fight the battle, is it possible to cause the AntiForgeryToken to regenerate a new value after each validation?

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Related posts about antiforgerytoken