locked
Is this workaround for multi-tab issues with Anti Forgery Tokens safe? RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-913057069 posted

    Hello,

    I am working on a project which uses MVC5 in an SPA fashion. We have recently noticed an issue with the Anti Forgery Token system now that we have applied it to most of the Areas in our site. The issue occurs when a user does some work in one tab, and then opens a new tab in the same browser in order to go do something else (often, it is to view data on a different page).

    This causes our anti forgery tokens to sometimes overwrite each other, leading to some form of race condition that leaves one of the tabs with an invalid anti forgery token.

    Based on my reading of the following posts:
    https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages
    https://stackoverflow.com/questions/9922858/why-does-httpantiforgeryexception-occur-randomly-even-with-a-static-machine-key/16357733#16357733

    I have attempted to fix the problem by adding an Anti Forgery Token (using Html.AntiForgeryToken()) to the initial home page of the site once a user has logged in. In our brief testing so far, it seems to have solved the issue. However, I am not a security expert, so I do not know if there is an underlying problem with this approach that will open us back up to CSRF attacks.

    Is there any concerns with solving this problem in this fashion?

    Friday, March 29, 2019 5:15 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User-893317190 posted

    Hi Chris.Thompson ,

    It seems that your website uses the same csrf token.

    Generally speaking,  other websites could hardly get the token which is in your website's page because of cross-origin-policy. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS

    However , the longer the token stays on the site, the more likely it is to be stolen by other sites.

    If your website need  absolute safety , you had better not do that for temporary convenience.

    If the data of your user is relatively not so import, you could consider using this way, because  after all other website has few ways to get your website's token which is stored in your website's hidden field.

    Best regards,

    Ackerly Xu

    Monday, April 1, 2019 2:29 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User-134105967 posted

    Hi Chris,

       As you have mentioned that you developed this application in a SPA fashion, I guess you are using "Authorization" header for sending authentication token along with all requests. If so, you don't even need to worry about CSRF attack because CSRF will be applicable only to Cookie based web applications. 

    Reference : https://security.stackexchange.com/questions/170388/do-i-need-csrf-token-if-im-using-bearer-jwt/170405#170414

    Monday, April 8, 2019 8:57 AM