AntiForgery Token

Jul 3, 2012 at 9:48 PM
Edited Jul 3, 2012 at 9:50 PM

Is OpenId secure enough in nerddinner? Isn't it vulnerable to CSRF? (I know security can be out of scope in this project, but that's not the point in my question)

What do you think about using ValidateAntiForgeryToken attribute in action LogOnPostAssertion on AuthController?

Jul 5, 2012 at 2:23 PM

An interesting point you bring up about XSRF.  The vulnerability here, if any, seems to be that if a user may be discretely logged into NerdDinner under someone else's account, so further actions that user takes on NerdDinner may be recognized as having been completed by a different user.  

Mitigating this would have to be done by a mechanism different than the [ValidateAntiForgeryToken] attribute because that assumes there is a hidden form field on the HTML page that will get posted with the request, but this request is instead formulated at the OpenID Provider.  Protecting against XSRF would effectively break an OpenID 2.0 feature called "unsolicited assertions". However for most sites that feature may not be as interesting as mitigating this security risk.  

I've fixed this in r77814.  Thanks for pointing it out.

Jul 5, 2012 at 7:26 PM

Your solution is simple and effective. Thanks for the help.