Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the Html.AntiForgeryToken helper function for?

Can somebody tell me more details about it?

like image 953
Lorenzo Avatar asked Oct 17 '10 23:10

Lorenzo


People also ask

What does HTML AntiForgeryToken () do?

AntiForgeryToken()Generates a hidden form field (anti-forgery token) that is validated when the form is submitted.

Why do we use AntiForgeryToken?

To help prevent CSRF attacks, ASP.NET MVC uses anti-forgery tokens, also called request verification tokens. The client requests an HTML page that contains a form. The server includes two tokens in the response. One token is sent as a cookie.

How does MVC AntiForgeryToken work?

Basically, when you request a page, the server includes a hidden field with an encrypted value. And when you submit the form, the website looks at the cookie to make sure you're authenticated, but it also looks at the encrypted value that the browser sends and make sure it's valid.

What is AntiForgeryToken in web API?

Adding an AntiForgeryToken generates a Cryptographically valid hash at the server end which is split and a part is added as a hidden field, whereas the rest goes into a cookie. When data is posted, the Cookie and the Hidden Field are both sent back and if they are missing or they don't match, the POST is rejected.


1 Answers

Basically the anti forgery tokens stop anyone from submitting requests to your site that are generated by a malicious script not generated by the actual user. There is an HTTP only cookie (not readable by a script running in the browser, but sent by the browser and accessible by the server) that gets sent to the client, it is used to generate a hidden field value which is then validated against the cookie. At least I think that's the process.

There is a good description of this here which is exactly what you are asking about https://blogs.msmvps.com/luisabreu/blog/2009/02/09/the-mvc-platform-the-new-anti-forgery-token/

like image 75
ameer Avatar answered Sep 26 '22 01:09

ameer