Reputation: 3131
MVC.net form post/anti forgery
When defining the ValidateAntiForgeryToken attribute. What level of complexity should be given to the salt?
For example is an alpha-numeric over X number of characters characters good? Should there be symbols as well.
[ValidateAntiForgeryToken(Salt = "How complex is good")]
public virtual ActionResult SaveDetail(UserDetails details)
{
.
.
.
}
Upvotes: 1
Views: 586
Answers (2)
Reputation: 22485
i've added my 'salt' into a config file and use a guid for it's value (along the lines of):
public const string AntiforgeryToken = "{F161FDA9-D1F0-43D2-85D0-F7051F12E7B8}";
i reference it in the controllers like so:
[AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken(Salt = Config.AntiforgeryToken)]
seems to work quite well for me.
jim
Upvotes: 2
Reputation: 18321
I think it's a matter of salt length rather than character types. Simply put, the longer the salt, the harder the AntiForgeryToken will be to crack. Modern methods such as md5-crypt and bcrypt use salts of 48 and 128 bits, respectively. Perhaps you want to follow their lead.
If you're really concerned, add a different salt to each view. This will provide added security to your site as hackers won't be able reuse a compromised token from view to view. Hopefully that makes sense.
Sanderson speak to this in this post.
Upvotes: 3
Related Questions
- ASP.NET Core MVC anti forgery
- Anti forgery system on ASP.Net MVC
- Intercepting ASP NET MVC POST Values
- Post Without Validating
- anti-forgery error in my mvc app
- .NET MVC preventing forged POST
- Understanding ASP.NET MVC anti-forgery protection
- Asp.Net Anti-Forgery
- Repeat data verification on POST
- ASP.NET MVC Form Post