Export (0) Print
Expand All

AntiForgery Class

Helps prevent malicious scripts from submitting forged page requests.

System::Object
  System.Web.Helpers::AntiForgery

Namespace:  System.Web.Helpers
Assembly:  System.Web.WebPages (in System.Web.WebPages.dll)

public ref class AntiForgery abstract sealed

The AntiForgery type exposes the following members.

  NameDescription
Public methodStatic memberGetHtml()Adds an authenticating token to a form to help protect against request forgery.
Public methodStatic memberGetHtml(HttpContextBase, String, String, String) Obsolete. Adds an authenticating token to a form to help protect against request forgery and lets callers specify authentication details.
Public methodStatic memberGetTokensGets the search tokens.
Public methodStatic memberValidate()Validates that input data from an HTML form field comes from the user who submitted the data.
Public methodStatic memberValidate(String, String)Validates that input data from an HTML form field comes from the user who submitted the data.
Public methodStatic memberValidate(HttpContextBase, String) Obsolete. Validates that input data from an HTML form field comes from the user who submitted the data and lets callers specify additional validation details.
Top

This class represents a helper, which is a component that simplifies web programming in ASP.NET Web Pages. You can use the AntiForgery class to help protect against malicious sites that try to forge ("spoof") requests to your site.

A common type of attack on websites is referred to as cross-site request forgery (often abbreviated as CSFR or XSFR). When users visit a malicious website or open a malicious email message or instant message, code can attach to their browser and can secretly submit harmful requests on a site where the users are authenticated. In effect, the malicious site forges ("spoofs") requests so that they appear to come from a legitimate user. The forged requests then attempt to perform tasks as a logged-in user, and can range from annoying (such as logging off the user account) to serious (such as stealing money).

To help prevent XSFR attacks, use the two public methods of the AntiForgery class as follows:

  1. Call the GetHtml method in an HTML form element. The method creates an encrypted token and adds it to the form as a hidden field. It adds the same token to an HTTP cookie.

  2. After the page has been submitted, call the Validate method to validate that the form field input is legitimate and is not from a forged request. The method compares the token values in the hidden field and the HTTP cookie. If both tokens are present and the values match, the request is valid and your page can finish processing. If a token is missing or the values do not match, the request might be forged. In that case validation fails and the method throws an exception.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Show:
© 2014 Microsoft