Logo

Maarten Balliauw {blog}

ASP.NET, ASP.NET MVC, Azure, PHP, OpenXML, VSTS, ...

About the author

Maarten Balliauw is an MVP ASP.NET and is currently employed as .NET Software Engineer at RealDolmen. His interests are mainly web applications developed in ASP.NET (C#) or PHP.
More about me More about me
Send mail E-mail me


Microsoft Most Valuable Professional - MVP - ASP.NET

Subscribe to my RSS feed Follow me on Twitter! View Maarten Balliauw's profile on LinkedIn RealDolmen - Rock-solid passion for ICT
I'm a speaker at TechDays Belgium and TechDays Finland

Search

Pages

Latest Twitter

    Follow me on Twitter...

    My projects

    Recent posts

    Categories


    Archive

    Disclaimer

    The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

    © Copyright Maarten Balliauw 2010

    ASP.NET MVC preview 5's AntiForgeryToken helper method and attribute

    Posted by maartenba on Monday, September 01, 2008 12:11 PM

    The new ASP.NET MVC preview 5 featured a number of new HtmlHelper methods. One of these methods is the HtmlHelper.AntiForgeryToken. When you place <%=Html.AntiForgeryToken()%> on your view, this will be rendered similar to the following:

    <input name="__MVC_AntiForgeryToken" type="hidden" value="Ak8uFC1MQcl2DXfJyOM4DDL0zvqc93fTJd+tYxaBN6aIGvwOzL8MA6TDWTj1rRTq" />

    When using this in conjunction with the action filter attribute [ValidateAntiForgeryToken], each round trip to the server will be validated based on this token.

    [ValidateAntiForgeryToken]
    public ActionResult Update(int? id, string name, string email) {
        // ...
     }

    Whenever someone tampers with this hidden HTML field's data or posts to the action method from another rendered view instance, this ValidateAntiForgeryToken will throw a AntiForgeryTokenValidationException.

    kick it on DotNetKicks.com


    Categories: ASP.NET | C# | General | ICT | Internet | MVC
    E-mail | Kick it! | DZone it! | del.icio.us
    Permalink | Comments (6) | Post RSSRSS comment feed

    Comments

    DotNetKicks.com |

    Monday, September 01, 2008 12:42 PM

    trackback

    Trackback from DotNetKicks.com

    ASP.NET MVC preview 5's AntiForgeryToken helper method and attribute

    tommy kelly United States |

    Tuesday, September 02, 2008 12:59 AM

    tommy kelly

    Thats cool for some stuff, but lets make sure we don't bake that into the framework.  It has a very _EVENTVALIDATION and _VIEWSTATE kinda smell Smile

    Tim United States |

    Sunday, September 28, 2008 5:19 PM

    Tim

    This is great, except it doesn't seem to work.  I did the following:

    1) followed the example code in this post exactly
    2) verified that the token was placed in the web page exactly as shown in this post
    3) using Firebug, modified a hidden field inside the form that contains the token
    4) clicked submit button causing a form post
    5) inspected Request.Form inside the action method called by the form post and verified that the modified value was in the form

    No exception was thrown.  Now, when I modified the token itself an exception *was* thrown.  I tried this with and without a salt value.  Did I so something wrong or is this not working?

    maartenba Belgium |

    Sunday, October 05, 2008 11:55 AM

    maartenba

    If you tamper with the value, you get an exception? That's actually the point of this: ensure no one tampers with the value, to ensure that the origin of the form post is the one you actually sent to the user.

    Jon Davis United States |

    Friday, April 10, 2009 8:51 AM

    Jon Davis

    Does using this make your actions untestable with NUnit/MbUnit/MSTest?

    maartenba Belgium |

    Friday, April 10, 2009 9:13 AM

    maartenba

    No, this does not influence testing. Attributes are ignored when under unit test.

    Comments are closed