Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
When defining the ValidateAntiForgeryToken attribute. What level of complexity should be given to the salt?
For example is an alpha-numeric over X number of characters characters good? Should there be symbols as well.
[ValidateAntiForgeryToken(Salt = "How complex is good")]
public virtual ActionResult SaveDetail(UserDetails details)
{
.
.
.
}
I think it’s a matter of salt length rather than character types. Simply put, the longer the salt, the harder the AntiForgeryToken will be to crack. Modern methods such as md5-crypt and bcrypt use salts of 48 and 128 bits, respectively. Perhaps you want to follow their lead.
If you’re really concerned, add a different salt to each view. This will provide added security to your site as hackers won’t be able reuse a compromised token from view to view. Hopefully that makes sense.
Sanderson speak to this in this post.