private IAntiforgeryFeature GetCookieTokens(HttpContext httpContext) { var antiforgeryFeature = GetAntiforgeryFeature(httpContext); if (antiforgeryFeature.HaveGeneratedNewCookieToken) { Debug.Assert(antiforgeryFeature.HaveDeserializedCookieToken); // Have executed this method earlier in the context of this request. return(antiforgeryFeature); } AntiforgeryToken?cookieToken; if (antiforgeryFeature.HaveDeserializedCookieToken) { cookieToken = antiforgeryFeature.CookieToken; } else { cookieToken = GetCookieTokenDoesNotThrow(httpContext); antiforgeryFeature.CookieToken = cookieToken; antiforgeryFeature.HaveDeserializedCookieToken = true; } AntiforgeryToken?newCookieToken; if (_tokenGenerator.IsCookieTokenValid(cookieToken)) { // No need for the cookie token from the request after it has been verified. newCookieToken = null; } else { // Need to make sure we're always operating with a good cookie token. newCookieToken = _tokenGenerator.GenerateCookieToken(); Debug.Assert(_tokenGenerator.IsCookieTokenValid(newCookieToken)); } antiforgeryFeature.HaveGeneratedNewCookieToken = true; antiforgeryFeature.NewCookieToken = newCookieToken; return(antiforgeryFeature); }