AntiForgery Class

Summary

Provides access to the anti-forgery system, which provides protection against Cross-site Request Forgery (XSRF, also called CSRF) attacks.

Syntax

public sealed class AntiForgery

GitHub

View on GitHub

class Microsoft.AspNet.Mvc.AntiForgery

Constructors

AntiForgery(Microsoft.AspNet.Mvc.IClaimUidExtractor, IDataProtectionProvider, Microsoft.AspNet.Mvc.IAntiForgeryAdditionalDataProvider, IOptions<Microsoft.AspNet.Mvc.AntiForgeryOptions>, IHtmlEncoder, IOptions<DataProtectionOptions>)
Arguments:
public AntiForgery(IClaimUidExtractor claimUidExtractor, IDataProtectionProvider dataProtectionProvider, IAntiForgeryAdditionalDataProvider additionalDataProvider, IOptions<AntiForgeryOptions> antiforgeryOptions, IHtmlEncoder htmlEncoder, IOptions<DataProtectionOptions> dataProtectionOptions)

Methods

GetHtml(HttpContext)

Generates an anti-forgery token for this request. This token can be validated by calling the Validate() method.

Arguments:
  • context (HttpContext) – The HTTP context associated with the current call.
Return type:

Microsoft.AspNet.Mvc.Rendering.TagBuilder

Returns:

An HTML string corresponding to an &lt;input type=”hidden”&gt; element. This element should be put inside a &lt;form&gt;.

public TagBuilder GetHtml(HttpContext context)
GetTokens(HttpContext, System.String)

Generates an anti-forgery token pair (cookie and form token) for this request. This method is similar to GetHtml(HttpContext context), but this method gives the caller control over how to persist the returned values. To validate these tokens, call the appropriate overload of Validate.

Arguments:
  • context (HttpContext) – The HTTP context associated with the current call.
  • oldCookieToken (System.String) – The anti-forgery token - if any - that already existed for this request. May be null. The anti-forgery system will try to reuse this cookie value when generating a matching form token.
Return type:

Microsoft.AspNet.Mvc.AntiForgeryTokenSet

public AntiForgeryTokenSet GetTokens(HttpContext context, string oldCookieToken)
SetCookieTokenAndHeader(HttpContext)

Generates and sets an anti-forgery cookie if one is not available or not valid. Also sets response headers.

Arguments:
  • context (HttpContext) – The HTTP context associated with the current call.
public void SetCookieTokenAndHeader(HttpContext context)
Validate(HttpContext, Microsoft.AspNet.Mvc.AntiForgeryTokenSet)

Validates an anti-forgery token pair that was generated by the GetTokens method.

Arguments:
  • context (HttpContext) – The HTTP context associated with the current call.
  • antiForgeryTokenSet (Microsoft.AspNet.Mvc.AntiForgeryTokenSet) – The anti-forgery token pair (cookie and form token) for this request.
public void Validate(HttpContext context, AntiForgeryTokenSet antiForgeryTokenSet)
Validate(HttpContext, System.String, System.String)

Validates an anti-forgery token pair that was generated by the GetTokens method.

Arguments:
  • context (HttpContext) – The HTTP context associated with the current call.
  • cookieToken (System.String) – The token that was supplied in the request cookie.
  • formToken (System.String) – The token that was supplied in the request form body.
public void Validate(HttpContext context, string cookieToken, string formToken)
ValidateAsync(HttpContext)

Validates an anti-forgery token that was supplied for this request. The anti-forgery token may be generated by calling GetHtml(HttpContext context).

Arguments:
  • context (HttpContext) – The HTTP context associated with the current call.
Return type:

System.Threading.Tasks.Task

public Task ValidateAsync(HttpContext context)