Multiple AntiForgeryTokens on a View with a MasterPage

Question

Has anyone had to deal with multiple AntiForgeryTokens on a child view of a master page? The scenario I am thinking about is as follows:

• The view contains a Form with an AntiForgeryToken rendered as a hidden field.
• The view is contained by a master page that has another AJAX submitted form.

The issue here is that I need to encapsulate the hidden field in the Form and at the same time, I need to render another token for submission on the AJAX submitted form in the master page. I can't make any assumptions that a token will be rendered in the child page since the child page may not have a form on it.

My first thought would be to render a single global AntiForgeryToken for the entire page that all posts used, but then the forms would not post the token as the hidden input field would be located outside of the form.

Thanks for any advice!

Answer 1

It should be possible to render an Html.AntiForgeryToken() separately within each form. The runtime is designed with this scenario in mind. The first call to AntiForgeryToken() sets a flag saying "I've set the token, any other calls to me for this request should use the same token value."