runtime loading of ValidateAntiForgeryToken Salt value

Posted by p.campbell on Stack Overflow See other posts from Stack Overflow or by p.campbell
Published on 2010-06-08T03:03:50Z Indexed on 2010/06/08 3:12 UTC
Read the original article Hit count: 323

Filed under:
|
|
|

Consider an ASP.NET MVC application using the Salt parameter in the [ValidateAntiForgeryToken] directive.

The scenario is such that the app will be used by many customers. It's not terribly desirable to have the Salt known at compile time.

The current strategy is to locate the Salt value in the web.config.

[ValidateAntiForgeryToken(Salt = Config.AppSalt)]
//Config.AppSalt is a static property that reads the web.config.

This leads to a compile-time exception suggesting that the Salt must be a const at compile time.

An attribute argument must be a constant expression, typeof expression or array creation expression of an attribute parameter type

How can I modify the application to allow for a runtime loading of the Salt so that the app doesn't have to be re-salted and recompiled for each customer?

Consider that the Salt won't change frequently, if at all, thereby removing the possibility of invalidating form

© Stack Overflow or respective owner

Related posts about asp.net-mvc

Related posts about csrf