Why is AntiForgeryToken's hidden field not same as its cookies on my machine?

Asked 25/8, 2011 at 6:58 Answered 30/9, 2015 at 21:27

Solved asp.net-mvc asp.net-mvc-3 antiforgerytoken

I just did a quick test with a simple ASP.NET MVC 3 sample by modifying default LogOn form. According to this article, both hidden field __RequestVerificationToken and cookies __RequestVerificationToken_Lw__ must contain same value that generated by Html.AntiForgeryToken(). But it isn't exactly same when I got them in Fiddle, by the way, looking at MVC 3 source code, method GetAntiForgeryTokenAndSetCookie seemed not use salt value for generating the cookies. Was there any change in MVC 3?

Forgot to say that I could still log on successfully with both normal or Ajax POST request.

Here is raw log from Fiddle:

POST http://localhost:51713/Account/LogOn HTTP/1.1
Referer: http://localhost:51713/Account/LogOn
Content-Length: 256
Origin: http://localhost:51713
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Cookie: __RequestVerificationToken_Lw__=OIRtVqUvNt/LfDGeoVy3W1VhdKN7MwdbUZmRNScz4NqS4uV0I0vQH2MHg77SsVhcinK5SJi9mVcdBUWk2VMiPTk8EMUN2Zq0X4ucK8XQ3/zr6NoiIvVF73Bq8ahbFaY/IrNrWY7mmzvO9j/XVLNN2lNqgCd6I3UGZAw3/nlOmpA=

__RequestVerificationToken=zeDS%2F8MZE%2BLf%2FrRhevwN51J7bOE3GxlGNLQc8HogwFctF7glU1JboHePTTHa5YFe9%2FD2sY7w167q53gqvcwYZG1iZeecdnO4fdg6URdR4RUR%2BjIgk1apkXoxQ2xg48REfv4N5D4SHKU4MAf30Diy0MVyyF9N2Dl7uUGT6LbKHZU%3D&UserName=Tien&Password=tien&RememberMe=false

Kus answered 25/8, 2011 at 6:58 Comment(2)

As a sidenote - AntiForgery tokens are designed to be used for non public parts of your application (where the user is already authenticated). Using them on a public login form is pretty pointless. – Jerboa 25/8, 2011 at 11:56

LogOn form was just used for testing purpose. – Kus 25/8, 2011 at 14:49

what makes you think they should be the same ? :) of course, they must me comparable in some way, but that doesnt mean they must look identical in their serialized form. There is different set of data serialized to cookie (i think only the "salt" and token) and to HTML markup (salt, token, creation time, username).

If you are interested in details, take ILSpy and look for System.Web.Mvc.AntiForgeryDataSerializer, System.Web.Mvc.AntiForgeryData and OnAuthorization method of System.Web.Mvc.ValidateAntiForgeryTokenAttribute

Isometry answered 8/9, 2011 at 11:11 Comment(2)

Thanks, the mentioned article said they are same :), and their name are same too. – Kus 14/9, 2011 at 3:19

No need for ILSpy, ASP.NET Mvc is open-source. aspnetwebstack.codeplex.com/SourceControl/latest – Fallingout 6/1, 2014 at 10:18

The article you are referencing in your question is simply wrong, because the hidden field anti forgery token will never be the same as anti forgery cookie value.

Added value of my answer is the link to interesting article which describes ASP.NET anti-forgery token internals. It, among others, provides clear steps to decode and decrypt cookie/form token:

BitConverter.ToString(System.Web.Helpers.AntiXsrf.MachineKey45CryptoSystem.Instance.Unprotect(tokenValue))

... and subsequent steps in order to match the cookie and form tokens.

Symphonious answered 30/9, 2015 at 21:27 Comment(1)

How did you find it? Also do you write blogs? – Fogel 1/2 at 12:33

Recommended topics

Hot tags