StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

PO
text
Body
copied!<p>The anti forgery token works by a cookie and a hidden input field in the form. They both hold the same encrypted value. When the controller handles an action decorated with <code>[ValidateAntiForgeryToken]</code> it checks if the values in the cookie and the hidden input field match. If they don't - you get a nice exception. </p> <p>You can use code like this</p> <p>View:</p> <pre><code><% using (var form = Html.BeginForm("DoSomething", "Default")) { %> <%:Html.ValidationMessageFor(x => x) %> <%:Html.AntiForgeryToken() %> <%:Html.Hidden("a", 200) %> <input type="submit" value="Go"/> <%}%> </code></pre> <p>Controller:</p> <pre><code>public class DefaultController : Controller { public ActionResult Index() { return View(); } [ValidateAntiForgeryToken] public ActionResult DoSomething(int a) { return View("Index"); } } </code></pre> <p>But then the form generated gets an <code>method="post"</code> attribute. On the controller side you don't need to specify <code>[AcceptVerbs(HttpVerbs.Post)]</code>. So the answer to your question is that you can use AntiForgeryToken without the AcceptVerbs attribute. You just need to use the POST method in the form. </p> <p>To continue with the sample, if you specify <code>[AcceptVerbs(HttpVerbs.Get)]</code> on the action and <code>Html.BeginForm("DoSomething", "Default", FormMethod.Get)</code>, the example won't work, because the GET request does not contain the cookie only the hidden input value gets encoded in the query string.</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload