In basic MVC project where all my forms have \[code\]@Html.AntiForgeryToken()\[/code\] I witness that the token (cookie) value is always the same for all forms for specific user session. Why is that? I partially understand that (otherwise there will be a lot of problems for example with Back button). But why not make it different for different forms using "salt":\[quote\] "This method is deprecated. Use the AntiForgeryToken() method instead. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property."\[/quote\]And why is it so huge (207 bytes in my example, user identity name is 7 chars)? Standard session id is much shorter (41).
Understanding ASP.NET MVC anti-forgery protection
- Thread starter opinuejen
- Start date