Menu
I recently came accros the following note on the Microsoft doc (https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery):
Razor Pages are automatically protected from XSRF/CSRF. You don't have to write any additional code. See XSRF/CSRF and Razor Pages for more information.
Pointing to this other page (https://docs.microsoft.com/en-us/aspnet/core/mvc/razor-pages/index?tabs=visual-studio#xsrf) where it says:
You don't have to write any code for antiforgery validation. Antiforgery token generation and validation are automatically included in Razor Pages.
I use Razor with my ASP.NET MVC application and also protect my forms with the AntiForgeryToken helpers. Because of the way the Antiforgery tokens are validated against each other (hidden field + cookie), my users must allow cookies on the website.
I am now confused with what I read in the doc as it seems to say that I don't need to use the @Html.AntiForgeryToken() helper or the [ValidateAntiForgeryToken] attribute when using Razor...?
As an additional question, is there a way to protect my site against CSRF attack without using the cookies?
979
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens. The client requests an HTML page that contains a form. The server includes two tokens in the response. One token is sent as a cookie.
Anti-forgery stands for “Act of copying or imitating things like a signature on a check, an official document to deceive the authority source for financial gains”. Now, in the case of web applications, it is termed as CSRF.
Validates that input data from an HTML form field comes from the user who submitted the data. Obsolete. Validates that input data from an HTML form field comes from the user who submitted the data and lets callers specify additional validation details.
The basic purpose of ValidateAntiForgeryToken attribute is to prevent cross-site request forgery attacks. A cross-site request forgery is an attack in which a harmful script element, malicious command, or code is sent from the browser of a trusted user.
Reading the first link in the post (https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery) I've found the explanation:
ASP.NET Core implements anti-request-forgery using the ASP.NET Core data protection stack.
In ASP.NET Core MVC 2.0 the FormTagHelper injects anti-forgery tokens for HTML form elements.
For older versions of ASP.NET MVC, the helpers you mention are needed.
121
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
