Anti-Forgery Token

It is help to prevent the CSRF attack, ASP.NET MVC uses anti forgery token.

1. The client request HTML page contain a FORM.

2. The server include two token in the response. One tone is the cookie, second token is palce in the hidden form field. Token are randomly generated not be guessable.

3. When client submit the form, it must send both tokens back to the server.

4. If request does not include both token server disallow the request.

<form action=”path” method=”post”>

<input name=”_requestverificationtoken” type=”hidden”

Value=”fhsdvjknsdfk634754795jnskdji8yh”/>

<input type=”submit” value=”submit”/>

</form>

Due to same origin policies malicious page can’t be read the token. Because of this anti forgery token works.

IN MVC

To add the anti-forgery tokens to a Razor page, use the HtmlHelper.AntiForgeryToken helper method

@using (Html.BeginForm("Manage", "Account")) {

@Html.AntiForgeryToken()

}