Use Html.AntiForgeryToken() to protect ASP.NET MVC forms and also to validate the incoming post request add the [ValidateAntiForgeryToken] filter to the Target action method.
Adding a salt
If you want to protect multiple forms in your website independent of each other then use a salt value whenever you call Html.AntiForgeryToken() e.g.
<%= Html.AntiForgeryToken(“SomeStringHere”) %>
add the salt to the [ValidateAntiForgeryToken] e.g.
[ValidateAntiForgeryToken(Salt="SomeStringHere")]
public ViewResult SubmitMethod()
{
// code here
}
Note: AntiForgery Helpers work only with POST requests and not GET requests and the visitors must accept cookies.
Technorati Tags: ASP.NET MVC,CSRF
No comments:
Post a Comment