tags:

views:

47

answers:

3
Q: 

What is for the Html.AntiForgeryToken helper function?

Can somebody tell me more details about it?

A: 

In general, the anti-forgery-token is an HTML hidden input that that's rendered for you to avoid CSRF attacks. Broadly, it works by comparing the value that the server sent down to the client to what the client sends back on the post. Is that all you're looking for?

You should probably check out MSDN for more details.

Esteban Araya  2010-10-17 23:30:31
I would like to better understand what's the addressed problem. I suppose is a little bit different from XSS. Is'nt it?
Lorenzo  2010-10-17 23:34:29
@Esteban, @Lorenzo: `AntiForgeryToken` is used to defend against CSRF, not XSS. http://en.wikipedia.org/wiki/Cross-site_request_forgery
LukeH  2010-10-17 23:42:46
@LukeH: Thanks for the correction.
Esteban Araya  2010-10-18 02:10:26
+1  A: 

Using AntiForgeryToken helps mitigate against cross-site request forgery attacks.

When you use it, your form will contain a hidden field and a corresponding cookie will also be set in the browser.

Then, when the form is submitted, the hidden field is checked against the cookie value (assuming that ValidateAntiForgeryTokenAttribute is used): if the field and the cookie match then the form post is probably genuine; if they don't then it's probably not. (An attacker attempting a CSRF attack might be able to forge the hidden field, but they shouldn't be able to also forge the corresponding cookie value.)

LukeH  2010-10-17 23:35:45
Thanks for the answer. If all the user values have been correctly encoded in code, can still this happens?
Lorenzo  2010-10-17 23:43:26
+1  A: 

Basically the anti forgery tokens stop anyone from submitting requests to your site that are generated by a malicious script not generated by the actual user. There is an HTTP only cookie (not readable by a script running in the browser, but sent by the browser and accessible by the server) that gets sent to the client, it is used to generate a hidden field value which is then validated against the cookie. At least I think that's the process.

There is a good description of this here which is exactly what you are asking about http://msmvps.com/blogs/luisabreu/archive/2009/02/09/the-mvc-platform-the-new-anti-forgery-token.aspx

ameer  2010-10-17 23:47:30

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps