Hi,
I posted my question on Stack Overflow, but because of the lack of response, I thought I'd try out the forums.
We use ASP.NET MVC's default Antiforgery technique. Recently a security company did a scan of a form and made note that they could use the same _RequestVerificationToken combination (cookie + hidden field) multiple times. Or how they put it: "The CSRF token in the body is validated on server side but is not revoked after use even though the server generates a new CSRF token."
After reading the documentation and multiple articles on the implementation of Antiforgery, it is my understanding that this is indeed possible as long as the session user matches the user in the tokens.
Part of their recommendation: "Such tokens should, at a minimum, be unique per user session" In my understanding this is already the case, except for anonymous users, correct?
My questions: Is this a security issue? How much of a risk is it? Is there a library that makes sure tokens are not reusable/invalidated.