Maarten Balliauw {blog}

ASP.NET, ASP.NET MVC, Windows Azure, PHP, ...

About the author

Maarten Balliauw is currently employed as a Technical Evangelist at JetBrains. His interests are mainly web applications developed in ASP.NET (C#) or PHP and the Windows Azure cloud platform.

More about me
Send mail

E-mail me

Maarten Balliauw - MVP - Most Valuable Professional

Search

Pages

Tweets by @maartenballiauw

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

© Copyright Maarten Balliauw 2013

<< Using the ASP.NET MVC ModelBinder attribute | Forms interaction with ASP.NET MVC (screencast) >>

ASP.NET MVC preview 5's AntiForgeryToken helper method and attribute

Posted by maartenba on Monday, September 01, 2008 12:11 PM

The new ASP.NET MVC preview 5 featured a number of new HtmlHelper methods. One of these methods is the HtmlHelper.AntiForgeryToken. When you place <%=Html.AntiForgeryToken()%> on your view, this will be rendered similar to the following:

When using this in conjunction with the action filter attribute [ValidateAntiForgeryToken], each round trip to the server will be validated based on this token.

[ValidateAntiForgeryToken]
public ActionResult Update(int? id, string name, string email) {
// ...
}

Whenever someone tampers with this hidden HTML field's data or posts to the action method from another rendered view instance, this ValidateAntiForgeryToken will throw a AntiForgeryTokenValidationException.

44f570a1-9381-49c8-8781-9fbe90299d86|1|5.0

Categories: ASP.NET | C# | General | MVC

E-mail | Kick it! | DZone it! | del.icio.us

Permalink | Comments (5) | Post RSS RSS comment feed

ASP.NET MVC - MvcSiteMapProvider 2.0 is out!I’m very proud to announce the release of the ASP.NET MVC MvcSiteMapProvider 2.0! I’m al...Building an ASP.NET MVC sitemap provider with security trimmingWarning!A new version of the source code provided in this post is available here. Use this blog post...Using the ASP.NET MVC Futures AsyncControllerLast week, I blogged about all stuff that is included in the ASP.NET MVC Futures assembly, which is ...

Comments (5) -

tommy kelly |

Tuesday, September 02, 2008 12:59 AM

Thats cool for some stuff, but lets make sure we don't bake that into the framework. It has a very _EVENTVALIDATION and _VIEWSTATE kinda smell

Tim |

Sunday, September 28, 2008 5:19 PM

This is great, except it doesn't seem to work. I did the following:

1) followed the example code in this post exactly
2) verified that the token was placed in the web page exactly as shown in this post
3) using Firebug, modified a hidden field inside the form that contains the token
4) clicked submit button causing a form post
5) inspected Request.Form inside the action method called by the form post and verified that the modified value was in the form

No exception was thrown. Now, when I modified the token itself an exception *was* thrown. I tried this with and without a salt value. Did I so something wrong or is this not working?

maartenba |

Sunday, October 05, 2008 11:55 AM

If you tamper with the value, you get an exception? That's actually the point of this: ensure no one tampers with the value, to ensure that the origin of the form post is the one you actually sent to the user.

Jon Davis |

Friday, April 10, 2009 8:51 AM

Does using this make your actions untestable with NUnit/MbUnit/MSTest?

maartenba |

Friday, April 10, 2009 9:13 AM

No, this does not influence testing. Attributes are ignored when under unit test.

Pingbacks and trackbacks (1)+

Comments are closed