05Antiforgery

Extending anti-forgery tokens in ASP.NET Core

a_Model

public class Item
{
    public int Data { get; set; }
}

b_View

@using AspNetSecurityDemos.Demos;
@model Item

@{
    ViewData["Title"] = "CreateItem";
}

<h1>CreateItem</h1>

<h4>Item</h4>
<hr />
<div class="row">
    <div class="col-md-4">
        <form asp-action="CreateItem">
            <div asp-validation-summary="ModelOnly" class="text-danger"></div>
            <div class="form-group">
                <label asp-for="Data" class="control-label"></label>
                <input asp-for="Data" class="form-control" />
                <span asp-validation-for="Data" class="text-danger"></span>
            </div>
            <div class="form-group">
                <input type="submit" value="Create" class="btn btn-primary" />
            </div>
        </form>
    </div>
</div>

<div>
    <a asp-action="Index">Back to List</a>
</div>

@section Scripts {
    @{await Html.RenderPartialAsync("_ValidationScriptsPartial");}
}

c_Provider

public class ExpiringAntiforgeryAddtionalDataProvider : IAntiforgeryAdditionalDataProvider
{
    public string GetAdditionalData(HttpContext context)
    {
        return DateTime.UtcNow.AddMinutes(5).ToString();
    }

    public bool ValidateAdditionalData(HttpContext context, string additionalData)
    {
        var isDate = DateTime.TryParse(additionalData, out var expirationDate);
        return isDate && DateTime.UtcNow < expirationDate;
    }
}

d_Registrations

builder.Services.AddSingleton<IAntiforgeryAdditionalDataProvider, ExpiringAntiforgeryAddtionalDataProvider>();