Vote count:
0
Here is scenario.
I have following Action methods
in controller named Default1
.
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult testing()
{
return View();
}
public ActionResult testing1()
{
return View();
}
Their corresponding Views
are:
// testing1.cshtml
@{
ViewBag.Title = "testing1";
}
<h2>testing1</h2>
<form action="/Default1/testing" method="post">
@Html.AntiForgeryToken()
<input type="submit" value="submit"/>
</form>
// testing.cshtml
@{
ViewBag.Title = "testing";
}
<h2>testing</h2>
<h1>successfully validated cookie</h1>
So first I visit /Default1/testing1
which sets HttpOnly
cookie. In the request which a hidden field is also added which has a token. Here is that input field.
<input name="__RequestVerificationToken" type="hidden" value="qgahCspc_DQBSQTkFR5_NmPDGygciZPNxt7BmqZE9NpmVzrbbo1N43T3RDjJvrMUmsq4MT5vUqvvQF4SCrSQXnQpKB9THGNA5hVcVu6exIQ1">
Following is screen shot of response header
, Http cookie can be seen in red circle.
I thought first HttpOnly
is set and on post request value from hidden field
& value of HttpOnly Cookie
are compared if both are equal then we are considered to be validated. But as it can be seen both these values are different. This mechanism is working. Question is how? Is one of these value is encrypted which is decrypted later before comparison.
asked 21 secs ago
Aucun commentaire:
Enregistrer un commentaire