Logo

Maarten Balliauw {blog}

ASP.NET, ASP.NET MVC, Azure, PHP, OpenXML, VSTS, ...

About the author

Maarten Balliauw is currently employed as .NET Technical Consultant at RealDolmen. His interests are mainly web applications developed in ASP.NET (C#) or PHP and the Windows Azure cloud platform.
More about me More about me
Send mail E-mail me


ASP.NET MVC Quickly Subscribe to my RSS feed Follow me on Twitter! View Maarten Balliauw's profile on LinkedIn
View Maarten Balliauw's MVP profile

Search

Pages

Latest Twitter

    Follow me on Twitter...

    My projects

    Related blogs

    Recent posts

    Categories


    Archive

    Disclaimer

    The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

    © Copyright Maarten Balliauw 2010

    ASP.NET MVC preview 5's AntiForgeryToken helper method and attribute

    Posted by maartenba on Monday, September 01, 2008 12:11 PM

    The new ASP.NET MVC preview 5 featured a number of new HtmlHelper methods. One of these methods is the HtmlHelper.AntiForgeryToken. When you place <%=Html.AntiForgeryToken()%> on your view, this will be rendered similar to the following:

    <input name="__MVC_AntiForgeryToken" type="hidden" value="Ak8uFC1MQcl2DXfJyOM4DDL0zvqc93fTJd+tYxaBN6aIGvwOzL8MA6TDWTj1rRTq" />

    When using this in conjunction with the action filter attribute [ValidateAntiForgeryToken], each round trip to the server will be validated based on this token.

    [ValidateAntiForgeryToken]
    public ActionResult Update(int? id, string name, string email) {
        // ...
     }

    Whenever someone tampers with this hidden HTML field's data or posts to the action method from another rendered view instance, this ValidateAntiForgeryToken will throw a AntiForgeryTokenValidationException.

    kick it on DotNetKicks.com


    Categories: ASP.NET | C# | General | MVC
    E-mail | Kick it! | DZone it! | del.icio.us
    Permalink | Comments (6) | Post RSSRSS comment feed

    Comments

    DotNetKicks.com | Reply

    Monday, September 01, 2008 12:42 PM

    trackback

    Trackback from DotNetKicks.com

    ASP.NET MVC preview 5's AntiForgeryToken helper method and attribute

    tommy kelly United States | Reply

    Tuesday, September 02, 2008 12:59 AM

    tommy kelly

    Thats cool for some stuff, but lets make sure we don't bake that into the framework.  It has a very _EVENTVALIDATION and _VIEWSTATE kinda smell Smile

    Tim United States | Reply

    Sunday, September 28, 2008 5:19 PM

    Tim

    This is great, except it doesn't seem to work.  I did the following:

    1) followed the example code in this post exactly
    2) verified that the token was placed in the web page exactly as shown in this post
    3) using Firebug, modified a hidden field inside the form that contains the token
    4) clicked submit button causing a form post
    5) inspected Request.Form inside the action method called by the form post and verified that the modified value was in the form

    No exception was thrown.  Now, when I modified the token itself an exception *was* thrown.  I tried this with and without a salt value.  Did I so something wrong or is this not working?

    maartenba Belgium | Reply

    Sunday, October 05, 2008 11:55 AM

    maartenba

    If you tamper with the value, you get an exception? That's actually the point of this: ensure no one tampers with the value, to ensure that the origin of the form post is the one you actually sent to the user.

    Jon Davis United States | Reply

    Friday, April 10, 2009 8:51 AM

    Jon Davis

    Does using this make your actions untestable with NUnit/MbUnit/MSTest?

    maartenba Belgium | Reply

    Friday, April 10, 2009 9:13 AM

    maartenba

    No, this does not influence testing. Attributes are ignored when under unit test.

    Add comment




      Country flag

    biuquote
    • Comment
    • Preview
    Loading