ASP.NET MVC preview 5’s AntiForgeryToken helper method and attribute

The new ASP.NET MVC preview 5 featured a number of new HtmlHelper methods. One of these methods is the HtmlHelper.AntiForgeryToken. When you place <%=Html.AntiForgeryToken()%> on your view, this will be rendered similar to the following:

[code:c#]

<input name="__MVC_AntiForgeryToken" type="hidden" value="Ak8uFC1MQcl2DXfJyOM4DDL0zvqc93fTJd+tYxaBN6aIGvwOzL8MA6TDWTj1rRTq" />

[/code]

When using this in conjunction with the action filter attribute [ValidateAntiForgeryToken], each round trip to the server will be validated based on this token.

[code:c#]

[ValidateAntiForgeryToken]
public ActionResult Update(int? id, string name, string email) {
    // ...
}

[/code]

Whenever someone tampers with this hidden HTML field's data or posts to the action method from another rendered view instance, this ValidateAntiForgeryToken will throw a AntiForgeryTokenValidationException.

kick it on DotNetKicks.com

This is an imported post. It was imported from my old blog using an automated tool and may contain formatting errors and/or broken images.

Leave a Comment

avatar

5 responses

  1. Avatar for tommy kelly
    tommy kelly September 2nd, 2008

    Thats cool for some stuff, but lets make sure we don't bake that into the framework. It has a very _EVENTVALIDATION and _VIEWSTATE kinda smell :)

  2. Avatar for Tim
    Tim September 28th, 2008

    This is great, except it doesn't seem to work. I did the following:

    1) followed the example code in this post exactly
    2) verified that the token was placed in the web page exactly as shown in this post
    3) using Firebug, modified a hidden field inside the form that contains the token
    4) clicked submit button causing a form post
    5) inspected Request.Form inside the action method called by the form post and verified that the modified value was in the form

    No exception was thrown. Now, when I modified the token itself an exception *[i]was[/i]* thrown. I tried this with and without a salt value. Did I so something wrong or is this not working?

  3. Avatar for maartenba
    maartenba October 5th, 2008

    If you tamper with the value, you get an exception? That's actually the point of this: ensure no one tampers with the value, to ensure that the origin of the form post is the one you actually sent to the user.

  4. Avatar for Jon Davis
    Jon Davis April 10th, 2009

    Does using this make your actions untestable with NUnit/MbUnit/MSTest?

  5. Avatar for maartenba
    maartenba April 10th, 2009

    No, this does not influence testing. Attributes are ignored when under unit test.