Maarten Balliauw {blog}

ASP.NET, ASP.NET MVC, Windows Azure, PHP, ...

NAVIGATION - SEARCH

ASP.NET MVC preview 5's AntiForgeryToken helper method and attribute

The new ASP.NET MVC preview 5 featured a number of new HtmlHelper methods. One of these methods is the HtmlHelper.AntiForgeryToken. When you place <%=Html.AntiForgeryToken()%> on your view, this will be rendered similar to the following:

[code:c#]

<input name="__MVC_AntiForgeryToken" type="hidden" value="Ak8uFC1MQcl2DXfJyOM4DDL0zvqc93fTJd+tYxaBN6aIGvwOzL8MA6TDWTj1rRTq" />

[/code]

When using this in conjunction with the action filter attribute [ValidateAntiForgeryToken], each round trip to the server will be validated based on this token.

[code:c#]

[ValidateAntiForgeryToken]
public ActionResult Update(int? id, string name, string email) {
    // ...
}

[/code]

Whenever someone tampers with this hidden HTML field's data or posts to the action method from another rendered view instance, this ValidateAntiForgeryToken will throw a AntiForgeryTokenValidationException.

kick it on DotNetKicks.com

blog comments powered by Disqus