AntiForgery Class

Helps prevent malicious scripts from submitting forged page requests.


Namespace:  System.Web.Helpers
Assembly:  System.Web.WebPages (in System.Web.WebPages.dll)

public static class AntiForgery

Public methodStatic memberGetHtml()Adds an authenticating token to a form to help protect against request forgery.
Public methodStatic memberGetHtml(HttpContextBase, String, String, String)Adds an authenticating token to a form to help protect against request forgery and lets callers specify authentication details.
Public methodStatic memberValidate()Validates that input data from an HTML form field comes from the user who submitted the data.
Public methodStatic memberValidate(HttpContextBase, String)Validates that input data from an HTML form field comes from the user who submitted the data and lets callers specify additional validation details.

This class represents a helper, which is a component that simplifies web programming in ASP.NET Web Pages. You can use the AntiForgery class to help protect against malicious sites that try to forge ("spoof") requests to your site.

A common type of attack on websites is referred to as cross-site request forgery (often abbreviated as CSFR or XSFR). When users visit a malicious website or open a malicious email message or instant message, code can attach to their browser and can secretly submit harmful requests on a site where the users are authenticated. In effect, the malicious site forges ("spoofs") requests so that they appear to come from a legitimate user. The forged requests then attempt to perform tasks as a logged-in user, and can range from annoying (such as logging off the user account) to serious (such as stealing money).

To help prevent XSFR attacks, use the two public methods of the AntiForgery class as follows:

  1. Call the GetHtml method in an HTML form element. The method creates an encrypted token and adds it to the form as a hidden field. It adds the same token to an HTTP cookie.

  2. After the page has been submitted, call the Validate method to validate that the form field input is legitimate and is not from a forged request. The method compares the token values in the hidden field and the HTTP cookie. If both tokens are present and the values match, the request is valid and your page can finish processing. If a token is missing or the values do not match, the request might be forged. In that case validation fails and the method throws an exception.

The following code example shows how to use the AntiForgery class to protect against request forgery. Call the GetHtml method in a form, which adds an authenticating token to the form. To validate that a legitimate user submitted the form, call the Validate method as shown in the example.

    string name = string.Empty;
    if(IsPost) {
        name = Request.Form["name"];
<!DOCTYPE html>
<html lang="en">
    <meta charset="utf-8" />
    <title>Antiforgery helper</title>
    @if (IsPost)
    {<span>You typed in @name</span> }
    <form method="post" action="">
        <label><strong>Name : </strong></label>
        <input type="text" name="name" value="@name" />
        <input type="submit" value="Go" />

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.