Maarten Balliauw

Maarten Balliauw

Loves web and HTTP, C#, Kotlin, Azure and application performance. Developer Advocate at JetBrains. Frequent speaker at and organizer of various community events. Likes brewing his own beer.

ASP.NET MVC preview 5’s AntiForgeryToken helper method and attribute

Edit on GitHub

The new ASP.NET MVC preview 5 featured a number of new HtmlHelper methods. One of these methods is the HtmlHelper.AntiForgeryToken. When you place <%=Html.AntiForgeryToken()%> on your view, this will be rendered similar to the following:

[code:c#]

<input name="__MVC_AntiForgeryToken" type="hidden" value="Ak8uFC1MQcl2DXfJyOM4DDL0zvqc93fTJd+tYxaBN6aIGvwOzL8MA6TDWTj1rRTq" />

[/code]

When using this in conjunction with the action filter attribute [ValidateAntiForgeryToken], each round trip to the server will be validated based on this token.

[code:c#]

[ValidateAntiForgeryToken]
public ActionResult Update(int? id, string name, string email) {
    // ...
}

[/code]

Whenever someone tampers with this hidden HTML field's data or posts to the action method from another rendered view instance, this ValidateAntiForgeryToken will throw a AntiForgeryTokenValidationException.

kick it on DotNetKicks.com

This is an imported post. It was imported from my old blog using an automated tool and may contain formatting errors and/or broken images.

Leave a Comment

avatar

5 responses

  1. Avatar for tommy kelly
    tommy kelly September 2nd, 2008

    Thats cool for some stuff, but lets make sure we don't bake that into the framework. It has a very _EVENTVALIDATION and _VIEWSTATE kinda smell :)

  2. Avatar for Tim
    Tim September 28th, 2008

    This is great, except it doesn't seem to work. I did the following:

    1) followed the example code in this post exactly
    2) verified that the token was placed in the web page exactly as shown in this post
    3) using Firebug, modified a hidden field inside the form that contains the token
    4) clicked submit button causing a form post
    5) inspected Request.Form inside the action method called by the form post and verified that the modified value was in the form

    No exception was thrown. Now, when I modified the token itself an exception *[i]was[/i]* thrown. I tried this with and without a salt value. Did I so something wrong or is this not working?

  3. Avatar for maartenba
    maartenba October 5th, 2008

    If you tamper with the value, you get an exception? That's actually the point of this: ensure no one tampers with the value, to ensure that the origin of the form post is the one you actually sent to the user.

  4. Avatar for Jon Davis
    Jon Davis April 10th, 2009

    Does using this make your actions untestable with NUnit/MbUnit/MSTest?

  5. Avatar for maartenba
    maartenba April 10th, 2009

    No, this does not influence testing. Attributes are ignored when under unit test.

You May Also Enjoy

Test-Driving Windows 11 Dev Drive for .NET

At Build 2023 back in June, Microsoft announced a new form of storage volume for Windows 11: Dev Drive. In October 2023, support for Dev Drive was shipped as a Windows Update and now available to anyone using the latest version of Windows 11. [Environment]::SetEnvironmentVariable(“npm_config_cache”, “$DevDrive\Pack... Read more »

Provide opt-in to experimental APIs using C#12 ExperimentalAttribute

When writing libraries and frameworks that others are using, it’s sometimes hard to convey that a given API is still considered “experimental”. For example, you may want to iterate on how to work with part of the code base with the freedom to break things, while still allowing others to consume that code if they are... Read more »

Discriminated Unions in C#

Discriminated unions have been a long-standing request for C#. While F# users have had discriminated unions for years, C# developers will have to wait a bit longer. Read more »