When defining the ValidateAntiForgeryToken attribute. What level of complexity should be given to the salt?
For example is an alpha-numeric over X number of characters characters good? Should there be symbols as well.
[ValidateAntiForgeryToken(Salt = "How complex is good")]
public virtual ActionResult SaveDetail(UserDetails details)
{
.
.
.
}
I think it's a matter of salt length rather than character types. Simply put, the longer the salt, the harder the AntiForgeryToken will be to crack. Modern methods such as md5-crypt and bcrypt use salts of 48 and 128 bits, respectively. Perhaps you want to follow their lead.
If you're really concerned, add a different salt to each view. This will provide added security to your site as hackers won't be able reuse a compromised token from view to view. Hopefully that makes sense.
Sanderson speak to this in this post.
i've added my 'salt' into a config file and use a guid for it's value (along the lines of):
public const string AntiforgeryToken = "{F161FDA9-D1F0-43D2-85D0-F7051F12E7B8}";
i reference it in the controllers like so:
[AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken(Salt = Config.AntiforgeryToken)]
seems to work quite well for me.
jim