antiforgerytoken

A single Razor view contains several forms, each with its own call to @Html.AntiForgeryToken() <form id="f1"> @Html.AntiForgeryToken() </form> <form id="f2"> @Html.AntiForgeryToken() </form> As I understand it, both of these anti forgery tokens should be the same. <form id="f1"> <input name="__RequestVerificationToken" type="hidden" value="duVT4VtiYybun-61lnSY1ol__qBwawnELooyqT5OSrCJrvcHvDs_Nr9GLxNxwvBaI4hUcKZVkm6mDEmH2UqNorHD1FnJbKJQLWe8Su_dhy_nnGGl5GhqqC3yRGzcxbBM0" /> </form> <form id="f2"> <input name="__RequestVerificationToken" type="hidden" value="ZMISz3IWHU

I know that Stack Exchange sites do not use the ASP.NET MVC built-in @Html.AntiForgeryToken() for the prevention of XSRF/CSRF attacks. Instead of creating a hidden input named __RequestVerificationToken with a really long value based on the machineKey section of the web.config, the Stack Exchange method creates an input named fkey with a MUCH more succinct value. This is apparently a Guid, and based on evidence from the Stack Exchange Data Explorer project on Google Code , this value is tied to each individual user, remaining fairly constant until you log in or out. Also, the Stack Exchange

I have implemented antiforgery token on my login page. Now I had one user pressing back key on the keyboard, and when they click on login button again after filling their credentials, they get error page. Is there some better way of handeling this case like redirect them to fresh login page? Page that is login page is : /account/logon If login details are sucessfull the user is redirected to :Home/Index page on which the user pressed button back. Adam Tuliper - MSFT Don't implement the ASP.NET AntiForgeryToken on your login page. The token is based on a username among other criteria and a

UPD: Same question asked on security.stackexchange.com and the answer I got is different. Please follow there, to get the correct answer! I'm running a rather large site with thousands of visits every day, and a rather large userbase. Since I started migrating to MVC 3, I've been putting the AntiForgeryToken in a number of forms, that modify protected data etc. Some other forms, like the login / registration also use the AntiForgeryToken now, but I'm becoming dubious about their need there in the first place, for a couple reasons... The login form requires the poster to know the correct

I have a problem with the anti CRSF MVC mechanism. The cookie and the form input returned does not match. I'm getting an error every single time, only in one specific page. In the rest of the application it works well. The server is returning HTTP 500 Internal Server Error and I can see on the log this exception: [System.Web.Mvc.HttpAntiForgeryException]: {"A required anti-forgery token was not supplied or was invalid."} This is the hidden input that the server is generating is: <input name="__RequestVerificationToken" type="hidden" value=