Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What's the use of the __RequestVerificationToken?

We have a .NET C# MVC application with some forms in it which works fine. Now we also have an ASP Classic vbscript page that needed to interact with these forms, but using a regular post we got an error saying the __RequestVerificationToken wasn't set.

So we request the page and then store the token from the hidden input and the cookie in a variable and send it a long with the POST request. And it works.

But seeing its so simple to bypass it, whats the use of it anyway? It offers hardly any protection.

like image 385
Hugo Delsing Avatar asked Aug 31 '25 20:08

Hugo Delsing


1 Answers

this is an anti forgery token (prevent CSRF attack). It guarantees that the poster is the one who gets the form.

It prevents from anybody to forge a link and have it activated by a powered user.

like image 182
tschmit007 Avatar answered Sep 03 '25 10:09

tschmit007