AntiForgeryToken() is there in asp.net core

Question

i just read this one https://www.c-sharpcorner.com/article/preventing-csrf-attacks-in-asp-net-core-2-0/ but not seen author use @Html.AntiForgeryToken() so out of my curiosity i like to know @Html.AntiForgeryToken() is there in asp.net core or not ? why author not use @Html.AntiForgeryToken() in view like what we do when we work with asp.net mvc4/5. please share the details information. thanks

Rajneesh Chaubey · Answer

Hi Tridip, @Html.AntiForgeryToken() is present in the ASP.NET Core. It is present under namespace System.Web.Mvc. Here we need to understand Html.AntiForgeryToken(). So it does two things First, it causes a hidden input to be created in the form, like this: Second, it causes a cookie also called __RequestVerificationToken to be created with the same value. Now ASP.NET Core includes three filters for working with antiforgery tokens: ValidateAntiForgeryToken, AutoValidateAntiforgeryToken, and IgnoreAntiforgeryToken. Now when page goes to server, ValidateAntiForgeryToken will ensure whether cookie and hidden form are same or not if they are mismatched or if any one of them are missing server will imediately get to know that request is not valid and throws an exception. Author is not used the Html.antiforgeryToken() rather he manually created hidden field. That is the only difference. Hope you get it. Thanks.

Tridip Bhattacharjee · Answer

@Rahneesh in asp.net core we do not need to include @Html.AntiForgeryToken() in view. if we decorate our action with AntiForgeryToken attribute then automatically RequestVerificationToken is generated in view which we can see at runtime. please share your opinion. thanks

AntiForgeryToken() is there in asp.net core

Answers (2)