So I have an interesting problem... I'm required to get my webapp to pass through an IBM app scanning appliance before I can push my changes to production. My latest changes include the AntiForgeryToken in ASP.NET MVC. Every browser I've tested this on works just fine, no issues. But when the appliance tries to submit the form, it gets a validation error. Looking at the verification token, the appliance is doing an html encode on the form value on the post, so the strings don't match up... this is what they look like:
cmiuJRHizXLPvlu9zHKmTwdJiHvq+n87CSJZkixkf/BLHayCPVITJhRCsWWirPWg - pulled from the cookie cmiuJRHizXLPvlu9zHKmTwdJiHvq%2Bn87CSJZkixkf%2FBLHayCPVITJhRCsWWirPWg - form value
So it's translating + to %2B and / to %2F... has anyone seen this before? Is this an issue for client browsers? And is there have AntiForgeryToken generate a string that has no special characters so I can get my app through this scan? Thanks!