我现在用的是 AntiForgeryToken 的辅助方法。从我的理解对AntiForgeryToken是，它是会话的基础上，使每个用户都有同样的道理，但其他用户将有不同的令牌（前提是你使用相同的盐对所有的形式）。我的问题是， AntiForgeryToken 正在生成不同的令牌具有相同的盐相同的用户。例如...

I am using the AntiForgeryToken helper method. From what I understand about the AntiForgeryToken is that it is session base, so that each user has the same token but another user will have a different token (provided that you use the same salts for all of the forms). My "problem" is that AntiForgeryToken is generating different tokens for the same user with the same salt. For example ...

位指示

public ActionResult Test()
{
    return View();
}

查看

@using (Html.BeginForm())
{
    @Html.AntiForgeryToken("Salty!")
}

输出请求＃1

<input name="__RequestVerificationToken" type="hidden" value="K1sijFuYvyGUJjGg33OnLjJaU3tFpGFDutRt9TOFSkZ6FcrhJMMQPnOqjIHuTwBXs/sPBXEiE+1qyV9l63nnSO161b+OtLbaBoPC7K3/7wxtnuSY+N0o/fqBgVoDyac4dNVp+OvanKBSrHINKfc3WEg9269BHOJNzFowC6Aeac/afAGTGrBypxUHfqrKVowD" />

输出请求＃2

<input name="__RequestVerificationToken" type="hidden" value="mOpP6LMQXnCmjr5/Wdtnhguh3PyZxWj7GWf8LYzZXPKcJBBT+DbAHvynquSD65O0DBw1RKR7DxCNg372ukftCOWms+o75CraMyFMnvjGk7RU+znIQm05eRQvr5H6d/MDyn+0DWm3jLnMBM9GplsgMRqbdAHzSe69/cS2x9A4X/9jFTZQHUWXXHUr0xewF8Rk" />

键是用于相同的会话与所述相同的盐不同。我一定CRSF保护的根本误解？或者这是一个新的功能？

The keys are different for the same session with the same salt. Do I have a fundamental misunderstanding of CRSF protection? Or is this a new feature?

推荐答案

反XSRF令牌的工作方式是加密相同的随机值转换成一个会话cookie，并到您的表单。当你从你生成的表单后的会话cookie只submited。

The anti XSRF token works by encrypting the same random value into a session cookie and onto your form. The session cookies are submited only when you make a post from the form you've generated.

此方法也适用例如在服务器群（在负载均衡的情况），所有服务器共享的加密密钥。验证仅通过比较由贴形式数据的解密值，并从公布会话cookie解密值的工作原理。这就是所谓的双提交饼干的方法。

This approach also works e.g. on server farms (in a load balancing scenario) where all servers share the encryption key. The validation works only by comparing the decrypted value from the posted form data and the decrypted value from the posted session cookie. This is called the double submitted cookie method.

因此​​，它是pretty的正常的，每个请求得到不同的值。 This是一个不错的职位有关ASP.NET MVC XSRF令牌。

So it's pretty normal that each requests gets a different value. This is a nice post about ASP.NET MVC XSRF tokens.