I'm creating a page that makes multiple AJAX form posts without a page refresh.
I would like to use the ASP.NET MVC HTML.AntiForgeryToken()
helper to secure the form against CSRF attacks. I think that each form on the page can share the same token, but will it allow multiple requests with the same token? If not is there a way to get a new token or some other way to secure the forms?
I will suggest to read these articles:
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
http://msmvps.com/blogs/luisabreu/archive/2009/02/09/the-mvc-platform-the-new-anti-forgery-token.aspx
So to answer your question - it will depend upon how you are doing it. When you use AntiForgeryToken to embed the token, it would generate (new) token in hidden field as well as cookie. And CRSF attack is detected by comparing them provided you have marked your action method (for POST) with
ValidateAntiForgeryToken
attribute. Now, its important that new token should be created for each request. So when you do you AJAX form posts, cookie is going to be set with new token value and you must ensure that the AJAX response contain new token field and you update it on browser side. I will also suggest that you use different salts for different forms for better protection.You can share the same token. Of course, as a general rule, it's highly recommended to wrap your Ajax calls in a unified method that concatenates the CSRF token to the request (be it GET or POST although POST is safer and much more correct from architectural perspective), so when you make Ajax calls you focus on the business input values only, and don't need to worry about CSRF.
Edit: Read this nice post & sample of auto-wrapping Ajax for CSRF protection using jQuery 1.5 and up: http://www.codethinked.com/aspnet-mvc-ajax-csrf-protection-with-jquery-15