I have an MVC 4.0 site that uses AntiForgeryTokens to protect against CSRF attacks.
What I am finding is that I can reuse an old __RequestVerificationToken after new sessions have been opened.
I start with adding to the .cshtml
@Html.AntiForgeryToken()
I then decorate the Post Action method in the controller with
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult DoSomething(MyViewModel model)
{
}
I then do the following :-
- Log in to admin site and scrape the __RequestVerificationToken value.
- Log Out
- Log Back In again (in theory there should now be a new token created)
Then submit the form below in a new tab in the same browser (see that I have used the token from the previous request).
<html> <body> <form action="http://adminsite.com/DoAction" method="POST"> <input type="hidden" name="id" value="26" /> <input name="__RequestVerificationToken" type="hidden" value="rt95zr0voZbgLga117YNBfwwLpTU8onGCDmZ4IQEisvhiNH_9ISTtsbDzIVgIkRUzwH81PpbrTRGK4MLSp3S3j-JMNjsJTL04TRl2J38rNz8KKomL98gLjEiJoXgMXFt0qaJ8tPaB4_PvGo8ATaxLcA2" /> <input type="submit" value="Submit request" /> </form> </body> </html>
What I find is that even though I have logged out and back in again, I am still able to use the old __RequestVerificationToken and I can successfully post the form.
After reading through the documentation (http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages) there is no mention of invalidation of token.
My questions are :-
- Shouldn't it now be invalid?
- If not, why not?
- Is there a way of making the __RequestVerificationToken invalid after logging out and back in again?