Posts

Showing posts from August, 2012

Anti ForgeryToken in ASP.NET MVC

To prevent Cross-Site Request Forgery (CSRF) in ASP.NET MVC applications we use AntiForgeryToken () helper. Before that, we’ll have a look on how CSRF works Imagine you have an ASP.NET MVC’s controller class as follows public class UserProfileController : Controller {     public ViewResult Edit () { return View (); }        public ViewResult SubmitUpdate ()     {         // Get the user's existing profile data (implementation omitted)         ProfileData profile = GetLoggedInUserProfile ();         // Update the user object         profile . EmailAddress = Request . Form [ "email" ];         profile . FavoriteHobby = Request . Form [ "hobby" ];         SaveUserProfile ( profile );         ViewData [ "message" ] = "Your profile was updated." ;         return View ();     } } This is all very normal. First, the visitor goes to  Edit() , which renders some form to let them change their user profile det