Use ServiceStack User Session When Generating AntiXsrf Token

leonidy · August 3, 2015, 8:23am

Hello,

We’re utilizing ServiceStack.Html.AntiXsrf.AntiForgery. Our application implements custom user authentication based on username and password.
We found out that XSRF token is generated ignoring user session and any token will be valid for any, event not authorized request.

Please, advise if the ServiceStack.Html.AntiXsrf namespace has tools to generate the token per user session.

Thank you,

mythz · August 3, 2015, 3:16pm

Not sure what you mean by any token will be valid when it’s the server generating the token, but the AntiXsrf impl uses the Double Submit Cookies technique for validating Xsrf tokens.

leonidy · August 4, 2015, 7:10am

I mean that if I log-in with a user1 credentials and save aside a generated AntiXSRF token and then logout and relogin with user1 credentials, I’ll be given a different AntiXSRF token. However, if I send the previous token with a new user session request, the token will be accepted as valid.

I’d like it to be rejected.

I can implement Double Submit Cookies but I thought that current ServiceStack AntiForgery provides the functionality already. If it doesn’t then I can maybe use the token generator for creating a cryptographically strong token.

Can you please answer about:

Can AntiXsrf generate anti-forgery token that takes into count ss-id (to support the flow I described above)?
In case I’m going to implement “Double Submit”, does AntiForgery.GetTokens() produces cryptographically strong tokens, so I can use them for “Double Submit”?

Thank you

mythz · August 4, 2015, 3:52pm

No it doesn’t take the Session Id into account, you can propose this as a feature request.
Yes, AntiForgery does produce cryptographically strong tokens.