We’re utilizing ServiceStack.Html.AntiXsrf.AntiForgery. Our application implements custom user authentication based on username and password.
We found out that XSRF token is generated ignoring user session and any token will be valid for any, event not authorized request.
Please, advise if the ServiceStack.Html.AntiXsrf namespace has tools to generate the token per user session.
I mean that if I log-in with a user1 credentials and save aside a generated AntiXSRF token and then logout and relogin with user1 credentials, I’ll be given a different AntiXSRF token. However, if I send the previous token with a new user session request, the token will be accepted as valid.
I’d like it to be rejected.
I can implement Double Submit Cookies but I thought that current ServiceStack AntiForgery provides the functionality already. If it doesn’t then I can maybe use the token generator for creating a cryptographically strong token.
Can you please answer about:
Can AntiXsrf generate anti-forgery token that takes into count ss-id (to support the flow I described above)?
In case I’m going to implement “Double Submit”, does AntiForgery.GetTokens() produces cryptographically strong tokens, so I can use them for “Double Submit”?