Yan*_*lla
6
asp.net-core
asp.net-core-identity
samesite
According to docs.microsoft.com ASP.NET core implements the Synchronizer Token Pattern to mitigate CSRF.
The Anti request forgery mechanism has many drawbacks impacting users:
ex 1: login page opened in 2 tabs
- Open the login page in two different tabs
- User A logs from Tab 1 (No issues)
- Without refreshing the Tab 2, user B tries to log in.
=> Produces a 400 page with AntiforgeryValidationException
reference 1,
reference 2
ex 2: a form opened in 2 tabs (from the same link in a mail)
- Create a new Asp.Net Core MVC website from template (VS 2019)
- Create a new page which has a simple form which is validated with [ValidateAntiForgeryToken] on post.
- Email yourself a link to that page (I've used Gmail & Mailtrap)
- Open the link in two tabs by clicking on it normally
- Submit both forms in any order
=> The form which was opened FIRST produces a 400 error
reference
看起来 SameSite=strict 是针对 CSRF 攻击的有效安全措施
根据本文和RFC 草案,SameSite cookie 似乎是一种有效且稳健的安全措施,可抵御 CSRF 攻击。ASP.NET Core 2.2 的身份验证 cookie 配置为 SameSite=strict。如果我的理解是正确的,身份验证 cookie 仅在同站点导航情况下发送到服务器。
在我的用例中,我信任子域。
因此,如果我可以保证我的用户使用的是支持 SameSite 策略的浏览器,那么禁用我的 ASP.NET Core 应用程序的反 CSRF 机制是否安全?