Helps prevent malicious scripts from submitting forged page requests.
Assembly: System.Web.WebPages (in System.Web.WebPages.dll)
Thetype exposes the following members.
|GetHtml||Adds an authenticating token to a form to help protect against request forgery.|
|GetHtml(HttpContextBase, String, String, String)||Obsolete. Adds an authenticating token to a form to help protect against request forgery and lets callers specify authentication details.|
|GetTokens||Gets the search tokens.|
|Validate||Validates that input data from an HTML form field comes from the user who submitted the data.|
|Validate(String, String)||Validates that input data from an HTML form field comes from the user who submitted the data.|
|Validate(HttpContextBase, String)||Obsolete. Validates that input data from an HTML form field comes from the user who submitted the data and lets callers specify additional validation details.|
This class represents a helper, which is a component that simplifies web programming in ASP.NET Web Pages. You can use the class to help protect against malicious sites that try to forge ("spoof") requests to your site.
A common type of attack on websites is referred to as cross-site request forgery (often abbreviated as CSFR or XSFR). When users visit a malicious website or open a malicious email message or instant message, code can attach to their browser and can secretly submit harmful requests on a site where the users are authenticated. In effect, the malicious site forges ("spoofs") requests so that they appear to come from a legitimate user. The forged requests then attempt to perform tasks as a logged-in user, and can range from annoying (such as logging off the user account) to serious (such as stealing money).
To help prevent XSFR attacks, use the two public methods of the class as follows:
Call the GetHtml method in an HTML form element. The method creates an encrypted token and adds it to the form as a hidden field. It adds the same token to an HTTP cookie.
After the page has been submitted, call the Validate method to validate that the form field input is legitimate and is not from a forged request. The method compares the token values in the hidden field and the HTTP cookie. If both tokens are present and the values match, the request is valid and your page can finish processing. If a token is missing or the values do not match, the request might be forged. In that case validation fails and the method throws an exception.