Problem
Could you please describe the objective of ValidateAntiForgeryToken and provide an example of ValidateAntiForgeryToken in MVC 4?
I couldn’t come up with any instances to explain this characteristic?
Asked by Tabriz Atayi
Solution #1
The anti-forgery functionality in MVC assigns a unique value to an HTTP-only cookie, which is subsequently written to the form. If the cookie value does not match the form value, an error is raised when the page is submitted.
It’s worth noting that the feature guards against cross-site request forgeries. That is, a form from another website that posts to yours in an attempt to submit secret material using the credentials of an authenticated user. The attack comprises duping a logged-in user into submitting a form or just triggering a form programmatically when the page loads.
Other types of data forgery or manipulation attacks are not prevented by this feature.
To utilize it, add the ValidateAntiForgeryToken property to the action method or controller and call @Html.AntiForgeryToken() in the forms that are submitted to the method.
Answered by Richard Szalay
Solution #2
The ValidateAntiForgeryToken attribute’s primary goal is to prevent cross-site request forgery attacks.
A cross-site request forgery attack is one in which a malicious script element, command, or code is transmitted from a trusted user’s browser. Visit http://www.asp.net/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages for additional details.
It’s easy to use; simply decorate the method with the ValidateAntiForgeryToken property as shown below:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult CreateProduct(Product product)
{
if (ModelState.IsValid)
{
//your logic
}
return View(ModelName);
}
It is derived from the namespace System.Web.Mvc.
Add this code to your view to add the token, which will be used to validate the form upon submission.
@Html.AntiForgeryToken()
Answered by Chandra Malla
Solution #3
You don’t need to add @Html because the core anti-forgery token is automatically added to forms. If you utilize the razor form element or IHtmlHelper, you can use AntiForgeryToken(). If the form’s method isn’t GET, call BeginForm.
It will create an input element for your form that looks something like this:
<input name="__RequestVerificationToken" type="hidden"
value="CfDJ8HSQ_cdnkvBPo-jales205VCq9ISkg9BilG0VXAiNm3Fl5Lyu_JGpQDA4_CLNvty28w43AL8zjeR86fNALdsR3queTfAogif9ut-Zd-fwo8SAYuT0wmZ5eZUYClvpLfYm4LLIVy6VllbD54UxJ8W6FA">
If validation is enabled, this token is confirmed on the server side when the user submits the form.
The attribute [ValidateAntiForgeryToken] can be used on actions. Unless the request includes a valid antiforgery token, requests to actions with this filter are denied.
Controllers can be used with the [AutoValidateAntiforgeryToken] attribute. This attribute functions in the same way as the ValidateAntiForgeryToken attribute, but it doesn’t require tokens for requests made with the following HTTP methods: TRACE YOUR HEAD OPTIONS
Additional information: docs.microsoft.com/aspnet/core/security/anti-request-forgery
Answered by Siarhei Kavaleuski
Post is based on https://stackoverflow.com/questions/13621934/validateantiforgerytoken-purpose-explanation-and-example