We’re writing an iOS mobile app in objective-c that makes posts to our ASP.NET MVC server app. On iPhone, the HTTP stack (and cookies etc) appear to be shared with Safari. This leaves us open to XSRF attacks, so unless I’m mistaken we need to protect the POSTs with anti-forgery tokens and protect our controller methods with
I’ll qualify this question by saying that I don’t properly understand the mechanism by which the antiforgery tokens are generated and verified… in particular, the term ‘nonce’ used in this context is somewhat mystical.
Because we’re not delivering HTML to the client, we can’t use the standard
@Html.AntiForgeryToken(), so instead we have to use
AntiForgery.GetTokens to acquire and distribute the tokens to our clients. This has a mysterious first parameter:
oldCookieToken. At the moment, I just set it to
null and everything seems to work fine. So can anyone tell me… what is the use of supplying the old token to the token generating algorithm? If only a single token is issued to our iOS app and reused for multiple posts, is this going to be problematic?
AntiForgery.GetTokens will try to reuse the old cookie token for validation purposes. So if you already have a validation token you want to reuse, it will attempt to use it instead of generating a new one. If the old token is invalid, it will generate a new one and use it instead.
oldCookieToken is valid. It simply tells
GetTokens to always generate a new cookie token.