Monday, May 26, 2014

Why the __RequestVerificationToken sent from @Html.AntiForgeryToken() is not changing

Recently we got an issue during the security review conducted by the client on an ASP.Net MVC 4 web application. It was related to the CSRF attacks. We have used the anti forgery token throughout our application. But the reviewer said that the token value generated by HTML helper is constant always. Ideally the "__RequestVerificationToken" value should not be same for the subsequent requests. But in our case the token value returned is always the same.

We were able to reproduce the issue easily using a sample application in our QA environment. But the same sample worked well in development servers. This helped us to narrow down the issue to the server configuration.

There were no forum questions about such an issue when we googled except one question in SO but there is no answer. Then the search turned towards relations between windows updates and anti forgery token. It lead to one SO link where it mentioned about a KB. Immediately installed the same in the QA test server and could see it worked. 

Below is the link to KB which solve the repetition of anti-forgery token issue across multiple page loads

http://support.microsoft.com/kb/2656351

No comments: