Can somebody tell me more details about it?
AntiForgeryToken()Generates a hidden form field (anti-forgery token) that is validated when the form is submitted.
To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens. The client requests an HTML page that contains a form. The server includes two tokens in the response. One token is sent as a cookie.
Basically, when you request a page, the server includes a hidden field with an encrypted value. And when you submit the form, the website looks at the cookie to make sure you're authenticated, but it also looks at the encrypted value that the browser sends and make sure it's valid.
Adding an AntiForgeryToken generates a Cryptographically valid hash at the server end which is split and a part is added as a hidden field, whereas the rest goes into a cookie. When data is posted, the Cookie and the Hidden Field are both sent back and if they are missing or they don't match, the POST is rejected.
Basically the anti forgery tokens stop anyone from submitting requests to your site that are generated by a malicious script not generated by the actual user. There is an HTTP only cookie (not readable by a script running in the browser, but sent by the browser and accessible by the server) that gets sent to the client, it is used to generate a hidden field value which is then validated against the cookie. At least I think that's the process.
There is a good description of this here which is exactly what you are asking about https://blogs.msmvps.com/luisabreu/blog/2009/02/09/the-mvc-platform-the-new-anti-forgery-token/
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With