ValidateAntiForgeryToken presenving cookie value for the session

Question

I am not sure whether this is a "feature" or a bug on the MVC framework.

While implementing a few actions with the [ValidateAntiForgeryToken] attribute on them I've noticed that although on the view, the _RequestVerificationToken hidden text field changes with every re-load of the page, the cookie _RequestVerificationToken_Lw__ always remains the same for the length of the session, i.e. all views will use the same cookie value to compare against.

From what I can gather, the value on the view is different because it gets encrypted every time but in reality, like the cookie, it's also the same as the cookie for the length of the session.

My question is. Shouldn't we be able to force this cookie to have a different value for every different request?

I would have thought that keeping the same cookie value for the length of the session is a security risk, as a malicious hacker could get hold of it and our CSRF (Cross Site Request Forgery) preventive measures would go out of the window.

Is there a way of forcing this cookie to get a different value for each request?

Answer 1

That cookie is still part of a three pronged protection.

They must have

1. The cookie
2. Your login name (hence your forms auth cookie)
3. The anti forgery token from the page.

With that in mind and using ssl (which you should always be using!) given the fact the tokens are NOT one time use tokens anyways, your protection level would likely not change.