Anti forgery tokens are reusable even after one request


April 2019


507 time


I am working on mvc application. Here in view i have added @Html.AntiForgeryToken() and in controller i have added attribute [ValidateAntiForgeryToken]. Now my point is when i send request for deleting any document one antiforgery token is created. i have copied that token. and again i am deleting other document and replacing the system generated token with previously used token. Still my request is successfully deleting document.
I am using all above operations with Burp Suite. Please clear that lifetime of antiforgery token. When we have already used one antiforgery token that token should expired after that have used ? Thanks Ketan Mate

2 answers


Anti-ForgeryToken create some encrypted value in the form and also stored the same value in a cookie RequestVerificationToken.both are submitted to the server when you submit the form.

RequestVerficationToken cookie has an expiration value set to be Session.So it will get expired when user leave the browser on session timeout(by default 20 minues). so in your case you can use same token in multiple request on same page until the session expired.


This is not how anti forgery token work, well AF tokens are used to prevent CSRF attacks means that it wont allow untrusted servers to post the form

When you implement @html.AntiforgeryToken() this line creats a hidden feild as well as a cookie so what it means that when you post the form both are compaired if any one is missing or missmatching that means it wont post and since your cookie forgery token matches with the previous forgery token it will post in your case and this is how it should work and hence no worries