Menu
First of all I'm still a starter in MVC4, after noticing many actions are decorated with [ValidateAntiForgeryToken], I googled that, but still kind of confused.
Can anybody explain that concept using a simplest example?
523
The basic purpose of ValidateAntiForgeryToken attribute is to prevent cross-site request forgery attacks. A cross-site request forgery is an attack in which a harmful script element, malicious command, or code is sent from the browser of a trusted user.
Anti-Forgery TokensThe client requests an HTML page that contains a form. The server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values.
AntiForgeryToken() Generates a hidden form field (anti-forgery token) that is validated when the form is submitted.
Anti-forgery token's main purpose is to prevent attacker using authentication cookie for doing things on behalf of the actual user. Since the user isn't authenticated yet in the login page, there are customers removing the validation.
In simple words it prevents external post requests. So, nobody can use your methods from other sites.
How it works. You are having AntiForgeryToken in your Html.BeginForm in View.
@using (Html.BeginForm()){
@Html.AntiForgeryToken()
//** fields of form
}
When you submit form, you sends data to your Controller method. If method has ValidateAntiForgeryToken attribute, it validates if data you are sending has your ForgeryToken.
[ValidateAntiForgeryToken]
public ViewResult Update()
{
}
ForgeryToken is generated once per session.
79
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
