I don't know how request preview before pull request, so using this forum for that.
By default AntiForgeryToken hard coded to be by session. That means, that token in cookie remains the same during the user session, only form token is changing. The problem with this approach is that all generated form tokens during the session are valid for
the same token in the cookie. Security requirements for my project was to have one-time token, so with every page refresh or any new page, new pair of tokens (cookie and form tokens) needs to be generated (so form token on previous page will not work for a
I've made fork and implement setting in AntiForgerySettings with name GenerateOnetimeToken to have ability to switch between session and one-time token.
Please review changes in the fork
and let me know what do you think and if it worth for pull request and merging with master branch.