Subscribe - It's FREE!!

Stay Connected Here

Stay Updated With Us Here


What is Anti-forgery Token in MVC - Prevent cross site request forgery (CSRF)

Share with WhatsApp

This post covers information about what is cross site request forgery (CSRF) and how you can prevent it in your MVC web application using simple mechanism provided called “Anti-Forgery Token”.

"What is Cross Site Request Forgery (CSRF)”?

Cross site request forgery is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. It’s also known as “One click attack”.

In simple words, its type of hack in which user’s identity is gets used to send bad request to the site for which he is authenticated user.

E.g. suppose user has logged in and as like most of the site site too put some cookie in user’s browser containing authentication information. In such case if someone send some bad request to the it will get executed as user is already authenticated and already allowed to send information which is very dangerous on point of security of the site. Though, this example is very general and just for understanding purpose. Bank sites in nowadays are well maintained in terms of security of the user and usually has multiple ways to authenticate the user request.

For more information you can visit Wikipedia here or can Google more about CSRF.

Now let’s check how you can prevent CSRF while developing web application in MVC.

If you are expeirinced MVC developer then you might aleardy know about @Html.AntiForgeryToken() method available in HTML extensions provided in MVC but you are newbie or just shifted to MVC from traditional event based ASP.NET (.aspx – My first love in technology) then you might using it but not much aware of it.

So let’s see what it is.

You need to use @Html.AntiForgeryToken() method in your view under BeginForm() like below.

@using (Html.BeginForm()) {    





When you use method like above AntiForgeryToken gets created in hidden form field by the server when form gets generated.  

And one more step is to add ValidateAntiForgeryTokenAttribute attribute to the action method that you want to protect like below.

[Authorize(Roles = "Admin")] 
public ActionResult SaveInformation(InformationModel infomodel) 
    if (ModelState.IsValid) 
    return View(infomodel); 

That’s it.  Now whenever you submit the form anti-forgery token gets validated first and if not matches error gets shown as “The required anti-forgery form field “_RequestVerificationToken” is not present”.

So even if someone submits fake form to the server it gets rejected as it doesn’t has the correct anti-forgery token which ensures that form is getting posted to the same server by which it was created.

Hope this simple post has benefited you by adding some useful information in your knowledge bank. If you are having something positive to add this post then please do share it in comment section.

Sharing is caring!! Do it now by clicking any of the sharing button provided.

If you enjoyed this post take 5 seconds to share it! Be Socialable. :-)

Share with WhatsApp

Posts To Read Next

Top 10 Visual Studio things which can boost developers coding speed

Visual Studio 2012 provides some coding features by which you can code faster if use them properly. This post will cover top 10 things among them to boost your development speed.

Visual Studio 2008 Shell and TFS integration

Visual Studio 2008 Shell and TFS integration is the problem for all newbies of BIDS and TFS. Here is the solution.

How to call click or any event only once in jQuery

Know how to execute an click event or any event only once for any element in jQuery. Perform action only once and even not required to unbind event.

Assembla - Free and private repository to manage your source code online with SVN subversion hosting

With Assembla you can share source code with others online. Free & Private source code repository with SVN Subversion, Git & Perforce Hosting.

Best CSS Gradient background generator tools online

Here are some best CSS gradient background code generator online tools using which you can create a cross browser css code for gradient backgrounds.

Your opinion is valuable for us! Comments, suggetions are welcome.

Submit your Email Id to stay updated with us and get notified with our new posts. It's FREE!
We know this popup is disturbing you!
But We would greatly appreciate if you share us with your friends below!

It will not take more than 2 seconds but will motivate us greatly to write more,share more!