What is the Html.AntiForgeryToken helper function for?

Question

Can somebody tell me more details about it?

Answer 1

Basically the anti forgery tokens stop anyone from submitting requests to your site that are generated by a malicious script not generated by the actual user. There is an HTTP only cookie (not readable by a script running in the browser, but sent by the browser and accessible by the server) that gets sent to the client, it is used to generate a hidden field value which is then validated against the cookie. At least I think that's the process.

There is a good description of this here which is exactly what you are asking about https://blogs.msmvps.com/luisabreu/blog/2009/02/09/the-mvc-platform-the-new-anti-forgery-token/

Answer 2

Well today, we will look at a type of security breach in a web application that is called Cross Site Request Forgery or CSRF hack. CSRF is the lesser known cousin of XSS.Cross Site Request forgery is a type of a hack where the hacker exploits the trust of a website on the user.

The easy way to do this is to use the ValidateAnitForgery token attribute in the ProductDetails post action method as follows

[HttpPost]
[Authorize(Roles = "Admins")]
[ValidateAntiForgeryToken()]
public ActionResult Edit(ProductDetails productdetails)
{
  if (ModelState.IsValid)
  {
    db.Entry(productdetails).State = EntityState.Modified;
    db.SaveChanges();
    return RedirectToAction("Index");
 }
 return View(productdetails);
}

To generate the AntiForgeryToken and the Cookie on the client side, we declare it as follows in the HTML form in the Edit.cshtml

@using (Html.BeginForm()) {
@Html.ValidationSummary(true)
@Html.AntiForgeryToken()
<fieldset>
    <legend>ProductDetails</legend>

…

This ensures that a form being posted to the server was actually generated by the same server. Thus fake forms that do not have the AntiForgeryToken from the correct server, gets rejected.

Also refer the simple example here

https://github.com/devcurry/mvc101-anti-forgery-token

Answer 3

for more information I think this short manuscript can help up :

The client requests an HTML page that contains a form. server includes two tokens in the response. One token is sent as a cookie. The other is placed in a hidden form field. The tokens are generated randomly so that an adversary cannot guess the values. the client submits the form, it must send both tokens back to the server. The client sends the cookie token as a cookie, and it sends the form token inside the form data. (A browser client automatically does this when the user submits the form.) a request does not include both tokens, the server disallows the request.

Answer 4

Using AntiForgeryToken helps mitigate against cross-site request forgery attacks.

When you use it, your form will contain a hidden field and a corresponding cookie will also be set in the browser.

Then, when the form is submitted, the hidden field is checked against the cookie value (assuming that ValidateAntiForgeryTokenAttribute is used): if the field and the cookie match then the form post is probably genuine; if they don't then it's probably not. (An attacker attempting a CSRF attack might be able to forge the hidden field, but they shouldn't be able to also forge the corresponding cookie value.)

Answer 5

In general, the anti-forgery-token is an HTML hidden input that that's rendered for you to avoid CSRF attacks. Broadly, it works by comparing the value that the server sent down to the client to what the client sends back on the post. Is that all you're looking for?

You should probably check out MSDN for more details.