Tuesday, April 21, 2015

Cross site Request Forgery (CSRF)

Use Html.AntiForgeryToken() to protect ASP.NET MVC forms and also to validate the incoming post request add the [ValidateAntiForgeryToken] filter to the Target action method.

Adding a salt

If you want to protect multiple forms in your website independent of each other then use a salt value whenever you call Html.AntiForgeryToken() e.g.

<%= Html.AntiForgeryToken(“SomeStringHere”) %>

add the salt to the [ValidateAntiForgeryToken] e.g.

[ValidateAntiForgeryToken(Salt="SomeStringHere")]
public ViewResult SubmitMethod()
{
// code here
}

Note: AntiForgery Helpers work only with POST requests and not GET requests and the visitors must accept cookies.


Technorati Tags: ,

No comments:

Post a Comment