Subscribe - It's FREE!!

Stay Connected Here

Stay Updated With Us Here



Google

What is Anti-forgery Token in MVC - Prevent cross site request forgery (CSRF)


Share with WhatsApp


This post covers information about what is cross site request forgery (CSRF) and how you can prevent it in your MVC web application using simple mechanism provided called “Anti-Forgery Token”.

"What is Cross Site Request Forgery (CSRF)”?

Cross site request forgery is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. It’s also known as “One click attack”.

In simple words, its type of hack in which user’s identity is gets used to send bad request to the site for which he is authenticated user.

E.g. suppose user has logged in abcbank.com and as like most of the site abcbank.com site too put some cookie in user’s browser containing authentication information. In such case if someone send some bad request to the abcbank.com it will get executed as user is already authenticated and already allowed to send information which is very dangerous on point of security of the site. Though, this example is very general and just for understanding purpose. Bank sites in nowadays are well maintained in terms of security of the user and usually has multiple ways to authenticate the user request.

For more information you can visit Wikipedia here or can Google more about CSRF.

Now let’s check how you can prevent CSRF while developing web application in MVC.

If you are expeirinced MVC developer then you might aleardy know about @Html.AntiForgeryToken() method available in HTML extensions provided in MVC but you are newbie or just shifted to MVC from traditional event based ASP.NET (.aspx – My first love in technology) then you might using it but not much aware of it.

So let’s see what it is.

You need to use @Html.AntiForgeryToken() method in your view under BeginForm() like below.

@using (Html.BeginForm()) {    

    @Html.AntiForgeryToken()

      ………

     ………

   }

When you use method like above AntiForgeryToken gets created in hidden form field by the server when form gets generated.  

And one more step is to add ValidateAntiForgeryTokenAttribute attribute to the action method that you want to protect like below.

[HttpPost] 
[Authorize(Roles = "Admin")] 
[ValidateAntiForgeryToken()] 
public ActionResult SaveInformation(InformationModel infomodel) 
{ 
    if (ModelState.IsValid) 
    { 
         ......
    } 
    return View(infomodel); 
} 


That’s it.  Now whenever you submit the form anti-forgery token gets validated first and if not matches error gets shown as “The required anti-forgery form field “_RequestVerificationToken” is not present”.

So even if someone submits fake form to the server it gets rejected as it doesn’t has the correct anti-forgery token which ensures that form is getting posted to the same server by which it was created.

Hope this simple post has benefited you by adding some useful information in your knowledge bank. If you are having something positive to add this post then please do share it in comment section.

Sharing is caring!! Do it now by clicking any of the sharing button provided.



If you enjoyed this post take 5 seconds to share it! Be Socialable. :-)

Share with WhatsApp

Posts To Read Next

Typewriter - Automatic TypeScript Template generation from C# classes in Visual Studio

Typewriter, an extension for visual studio that generates TypeScript files from C# code files using TypeScript templates. Convert your C# model classes to TypeScript automatically.


How to call click or any event only once in jQuery

Know how to execute an click event or any event only once for any element in jQuery. Perform action only once and even not required to unbind event.


Top 10 Visual Studio things which can boost developers coding speed

Visual Studio 2012 provides some coding features by which you can code faster if use them properly. This post will cover top 10 things among them to boost your development speed.


Copy changed data in table from one database to another in SQL stored procedure

How to copy or merge changed data in table from one database to another having same schema is the topic of this post.


Swagger - Powerful Opensource Framework for RESTful API

With a Swagger-enabled API, you get interactive documentation, client SDK generation and discoverability. Swagger Editor allows you to generate code, documentation with ease.


Your opinion is valuable for us! Comments, suggetions are welcome.


Submit your Email Id to stay updated with us and get notified with our new posts. It's FREE!
Vu 32'' TV Vu 24'' TV
We know this popup is disturbing you!
But We would greatly appreciate if you share us with your friends below!

It will not take more than 2 seconds but will motivate us greatly to write more,share more!

x