Here I have simple MVC3 application with two form posts. To protect CSRF attack, I have used antiforgerytoken html helpers in both forms as per guidance here.Here are my two models
ublic class User{ public string FirstName { get; set; } public string LastName { get; set; }}public class Employee{ public int Id { get; set; } public string Name { get; set; }}Here is my homeController.csublic class HomeController : Controller{ public ActionResult Index() { return View(); } [HttpPost] [ValidateAntiForgeryToken] public ActionResult Index(User user) { if (ModelState.IsValid) return RedirectToAction("About"); return View(); } public ActionResult About() { return View(); } [HttpPost] [ValidateAntiForgeryToken] public ActionResult About(Employee employee) { if (ModelState.IsValid) return RedirectToAction("PageA"); return View(); }}Here is my Inex.cshtml
model MvcAntiforgeryToken.Models.User@using (Html.BeginForm()) {@Html.AntiForgeryToken()<div> <fieldset> <legend>User Information</legend> <div class="editor-label"> @Html.LabelFor(m => m.FirstName) </div> <div class="editor-field"> @Html.TextBoxFor(m => m.FirstName) @Html.ValidationMessageFor(m => m.FirstName) </div> <div class="editor-label"> @Html.LabelFor(m => m.LastName) </div> <div class="editor-field"> @Html.PasswordFor(m => m.LastName) @Html.ValidationMessageFor(m => m.LastName) </div> <p> <input type="submit" value="http://stackoverflow.com/questions/14421962/Save" /> </p> </fieldset></div>}Here is my About.cshtmlmodel MvcAntiforgeryToken.Models.Employee@using (Html.BeginForm()) {@Html.AntiForgeryToken()<div> <fieldset> <legend>Employee Information</legend> <div class="editor-label"> @Html.LabelFor(m => m.Id) </div> <div class="editor-field"> @Html.TextBoxFor(m => m.Id) @Html.ValidationMessageFor(m => m.Id) </div> <div class="editor-label"> @Html.LabelFor(m => m.Name) </div> <div class="editor-field"> @Html.PasswordFor(m => m.Name) @Html.ValidationMessageFor(m => m.Name) </div> <p> <input type="submit" value="http://stackoverflow.com/questions/14421962/Save" /> </p> </fieldset></div>}Posting of Home/Index:when user visits Home/Index, application created "RequestVerificationToken_Lw" cookie with value "pG2/E00Q2DngYxs98f92x9qqrIvrh6zCT/+GGte67NFZLazKFlz++QqMSHpkZ08Qum9vsBCtq7O7MSzCawJkEa2/hdjrWoAcHlDWxxYRWKXm+OxPbqlRs609zam4fK7hReGEX3zf8YR4ltH3oYf4AZgt2mZV31ihRGShiZ7Oy9k="and following hidden form input <input name="__RequestVerificationToken" type="hidden" value="http://stackoverflow.com/questions/14421962/B1KKzYEFEdINnuhy53MqqxHCHELPUd5pX3vRqYWz1+pkhBA6YGFvSVtXgSURkAn3yNwee3nrqDCMXB8MB0SWiUU3GuHnhH7+Qc1IQebJHoFJZR2CPXNOmUzINXbBWKZz+35pQQQXdiKptR3raLSoElfQi18ZC4Pr7xNREGIOM2A=" /> Posting of Home/About:when user visits Home/About, application created "RequestVerificationToken_Lw" cookie with value "pG2/E00Q2DngYxs98f92x9qqrIvrh6zCT/+GGte67NFZLazKFlz++QqMSHpkZ08Qum9vsBCtq7O7MSzCawJkEa2/hdjrWoAcHlDWxxYRWKXm+OxPbqlRs609zam4fK7hReGEX3zf8YR4ltH3oYf4AZgt2mZV31ihRGShiZ7Oy9k="and following form input<input name="__RequestVerificationToken" type="hidden" value="http://stackoverflow.com/questions/14421962/UOCMATdy93A0230aBmRPv5F0xpJlI2urE5sJ4nxsTSWrsi9/xM5qhrxQ4I2vWIjvVrhkW8gSgmGFp7c4XPQUQG5myMGipTAr2/mi5od+Sz6IcfrF2FxwjfWMslt96BcMG6b9BjaGbgnClQOVTkjfHEMIptOYUCTSbVK61dWp5qI=" /> Here is my questions:why "RequestVerificationToken_Lw" cookie value is same in both forms? shoudn't it be recreated for every form posts?why "RequestVerificationToken_Lw" cookie value and "__RequestVerificationToken" hidden input values are different ?Thanks much for your responses!
ublic class User{ public string FirstName { get; set; } public string LastName { get; set; }}public class Employee{ public int Id { get; set; } public string Name { get; set; }}Here is my homeController.csublic class HomeController : Controller{ public ActionResult Index() { return View(); } [HttpPost] [ValidateAntiForgeryToken] public ActionResult Index(User user) { if (ModelState.IsValid) return RedirectToAction("About"); return View(); } public ActionResult About() { return View(); } [HttpPost] [ValidateAntiForgeryToken] public ActionResult About(Employee employee) { if (ModelState.IsValid) return RedirectToAction("PageA"); return View(); }}Here is my Inex.cshtmlmodel MvcAntiforgeryToken.Models.User@using (Html.BeginForm()) {@Html.AntiForgeryToken()<div> <fieldset> <legend>User Information</legend> <div class="editor-label"> @Html.LabelFor(m => m.FirstName) </div> <div class="editor-field"> @Html.TextBoxFor(m => m.FirstName) @Html.ValidationMessageFor(m => m.FirstName) </div> <div class="editor-label"> @Html.LabelFor(m => m.LastName) </div> <div class="editor-field"> @Html.PasswordFor(m => m.LastName) @Html.ValidationMessageFor(m => m.LastName) </div> <p> <input type="submit" value="http://stackoverflow.com/questions/14421962/Save" /> </p> </fieldset></div>}Here is my About.cshtmlmodel MvcAntiforgeryToken.Models.Employee@using (Html.BeginForm()) {@Html.AntiForgeryToken()<div> <fieldset> <legend>Employee Information</legend> <div class="editor-label"> @Html.LabelFor(m => m.Id) </div> <div class="editor-field"> @Html.TextBoxFor(m => m.Id) @Html.ValidationMessageFor(m => m.Id) </div> <div class="editor-label"> @Html.LabelFor(m => m.Name) </div> <div class="editor-field"> @Html.PasswordFor(m => m.Name) @Html.ValidationMessageFor(m => m.Name) </div> <p> <input type="submit" value="http://stackoverflow.com/questions/14421962/Save" /> </p> </fieldset></div>}Posting of Home/Index:when user visits Home/Index, application created "RequestVerificationToken_Lw" cookie with value "pG2/E00Q2DngYxs98f92x9qqrIvrh6zCT/+GGte67NFZLazKFlz++QqMSHpkZ08Qum9vsBCtq7O7MSzCawJkEa2/hdjrWoAcHlDWxxYRWKXm+OxPbqlRs609zam4fK7hReGEX3zf8YR4ltH3oYf4AZgt2mZV31ihRGShiZ7Oy9k="and following hidden form input <input name="__RequestVerificationToken" type="hidden" value="http://stackoverflow.com/questions/14421962/B1KKzYEFEdINnuhy53MqqxHCHELPUd5pX3vRqYWz1+pkhBA6YGFvSVtXgSURkAn3yNwee3nrqDCMXB8MB0SWiUU3GuHnhH7+Qc1IQebJHoFJZR2CPXNOmUzINXbBWKZz+35pQQQXdiKptR3raLSoElfQi18ZC4Pr7xNREGIOM2A=" /> Posting of Home/About:when user visits Home/About, application created "RequestVerificationToken_Lw" cookie with value "pG2/E00Q2DngYxs98f92x9qqrIvrh6zCT/+GGte67NFZLazKFlz++QqMSHpkZ08Qum9vsBCtq7O7MSzCawJkEa2/hdjrWoAcHlDWxxYRWKXm+OxPbqlRs609zam4fK7hReGEX3zf8YR4ltH3oYf4AZgt2mZV31ihRGShiZ7Oy9k="and following form input<input name="__RequestVerificationToken" type="hidden" value="http://stackoverflow.com/questions/14421962/UOCMATdy93A0230aBmRPv5F0xpJlI2urE5sJ4nxsTSWrsi9/xM5qhrxQ4I2vWIjvVrhkW8gSgmGFp7c4XPQUQG5myMGipTAr2/mi5od+Sz6IcfrF2FxwjfWMslt96BcMG6b9BjaGbgnClQOVTkjfHEMIptOYUCTSbVK61dWp5qI=" /> Here is my questions:why "RequestVerificationToken_Lw" cookie value is same in both forms? shoudn't it be recreated for every form posts?why "RequestVerificationToken_Lw" cookie value and "__RequestVerificationToken" hidden input values are different ?Thanks much for your responses!