When the use of a AntiForgeryToken is not required /needed?

Question

UPD: Same question asked on security.stackexchange.com and the answer I got is different. Please follow there, to get the correct answer!

I\'m runni

Answer 1

Anti forgery tokens are useless in public parts of the site where users are not yet authenticated such as login and register forms. The way CSRF attack works is the following:

1. A malicious user sets a HTML form on his site which resembles your site. This form could contain hidden fields as well.
2. He tricks one of your site users to visit his malicious url.
3. The user thinks that he is on your site, fills the form and submits it to your site.
4. If the user was already authenticated on your site the form submission succeeds and the unsuspecting user have deleted his account (or whatever you can imagine).

So you could use anti forgery tokens on authenticated parts of your site containing actions that could modify somehow the user state.

Remark: checking the Referer header for identifying that a request came from your site is not secure. Anyone can forge a request and spoof this header.