Why does @Html.AntiForgeryToken() generate different tokens in same response?

Question

A single Razor view contains several forms, each with its own call to @Html.AntiForgeryToken()

    @Html.AntiForgeryToken         


        

Answer 1

The values HAVE to be different. Not because of implementation inner workings or API voodoo but because each form represents an independent request to the server.

If the forms had the same token, once an attacker knew the token value for one form he would be able to trick the server into accepting the data sent by the other forms, although they were not submitted by the user, defeating the protection provided by the AntiCSRF Token.

The objective of the token is to provide a random id parameter, making it very hard for the attacker to fool the application into thinking that it was the logged in user that filled the form.

For those that are not acquainted with CSRF attacks, please take a look here.