如何选择ValidateAntiForgeryToken盐值 [英] How to choose a salt value for ValidateAntiForgeryToken

问题描述

该防伪标记接受的盐值。是否有关于选择盐的安全问题，如

The anti-forgery token accepts a salt value. Is there any security concerns regarding choosing the salt, such as

• 最小长度要求


• 强加密


• 的字母数字和其他字符（像密码）的搭配

另外，就是盐值由客户端查看？查看源$ C ​​$ C，这似乎是$ P $盐值ppending到cookie。

Also, is the salt value viewable by the client? Looking at the source code, it seems to be prepending the salt value to the cookie.

推荐答案

反XSRF令牌已经包含了可以把它唯一标识一个特定的（用户，应用程序）对嵌入信息。在'盐'参数是为了区分哪些行动特定的反XSRF令牌是为。它并不意味着是秘密。随时与世界分享。我希望我们已经为它选择了不同的名称，术语盐是一种误导。你可以把它作为多补充数据。 ：）

The anti-XSRF token already contains embedded information which can uniquely identify it to a particular (user, application) pair. The 'Salt' parameter is meant to distinguish which action a particular anti-XSRF token is meant for. It isn't meant to be secret. Feel free to share it with the world. I wish we had chosen a different name for it, as the term salt is misleading. Think of it more as supplementary data. :)

我们已经利用在幕后正确的密码盐。欲了解更多信息，请参阅我在回应<一个href=\"http://stackoverflow.com/questions/2994550/runtime-loading-of-validateantiforgerytoken-salt-value\">runtime ValidateAntiForgeryToken盐值的负载。

We already utilize a proper cryptographic salt under the covers. For more information, see my response at runtime loading of ValidateAntiForgeryToken Salt value.

TL;博士：不要与盐财产打扰。我们正在考虑从将来的版本中删除也无妨。

tl;dr: Don't bother with the Salt property. We're considering removing it from a future version anyway.

这篇关于如何选择ValidateAntiForgeryToken盐值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！