What is the Html.AntiForgeryToken helper function for?

Using AntiForgeryToken helps mitigate against cross-site request forgery attacks.

When you use it, your form will contain a hidden field and a corresponding cookie will also be set in the browser.

Then, when the form is submitted, the hidden field is checked against the cookie value (assuming that ValidateAntiForgeryTokenAttribute is used): if the field and the cookie match then the form post is probably genuine; if they don't then it's probably not. (An attacker attempting a CSRF attack might be able to forge the hidden field, but they shouldn't be able to also forge the corresponding cookie value.)


Basically the anti forgery tokens stop anyone from submitting requests to your site that are generated by a malicious script not generated by the actual user. There is an HTTP only cookie (not readable by a script running in the browser, but sent by the browser and accessible by the server) that gets sent to the client, it is used to generate a hidden field value which is then validated against the cookie. At least I think that's the process.

There is a good description of this here which is exactly what you are asking about https://blogs.msmvps.com/luisabreu/blog/2009/02/09/the-mvc-platform-the-new-anti-forgery-token/


Well today, we will look at a type of security breach in a web application that is called Cross Site Request Forgery or CSRF hack. CSRF is the lesser known cousin of XSS.Cross Site Request forgery is a type of a hack where the hacker exploits the trust of a website on the user.

The easy way to do this is to use the ValidateAnitForgery token attribute in the ProductDetails post action method as follows

[HttpPost]
[Authorize(Roles = "Admins")]
[ValidateAntiForgeryToken()]
public ActionResult Edit(ProductDetails productdetails)
{
  if (ModelState.IsValid)
  {
    db.Entry(productdetails).State = EntityState.Modified;
    db.SaveChanges();
    return RedirectToAction("Index");
 }
 return View(productdetails);
}

To generate the AntiForgeryToken and the Cookie on the client side, we declare it as follows in the HTML form in the Edit.cshtml

@using (Html.BeginForm()) {
@Html.ValidationSummary(true)
@Html.AntiForgeryToken()
<fieldset>
    <legend>ProductDetails</legend>

This ensures that a form being posted to the server was actually generated by the same server. Thus fake forms that do not have the AntiForgeryToken from the correct server, gets rejected.

Also refer the simple example here

https://github.com/devcurry/mvc101-anti-forgery-token