One of the areas of internet programming that we, as programmers need to be careful about is spoofing. Spoofing a form is sending data into the web pages from somewhere else – not from the generated form .
MVC has something pretty nice to prevent this from happening called the AntiForgeryToken. To implement this, inside the curly brace of the BeginFom helper, add this token:
@using (Html.BeginForm()) {
@Html.AntiForgeryToken()
This sets up a token on that form that identifies it with the machine key to make sure that whatever is being sent from the form is only happening via the form itself and not from outside.
The other thing that needs to be done to use this token is to put an AntiForgeryToken data annotation above the ActionResult for the form:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult YourActionResultName()
This basically confirms the token that was written is the same one set up with the AntiForgeryToken helper. So, if the same form was actually coming from another site and posting to your server, it would see it as a non-valid post and not continue.
All Things DotNet Discussed – Winforms/ASP.Net/SharePoint/WPF
Leave a reply
You must be logged in to post a comment.