AntiForgery Class
Helps prevent malicious scripts from submitting forged page requests.
Inheritance Hierarchy
System.Object
System.Web.Helpers.AntiForgery
Namespace: System.Web.Helpers
Assembly: System.Web.WebPages (in System.Web.WebPages.dll)
Syntax
'Declaration
Public NotInheritable Class AntiForgery
'Usage
public static class AntiForgery
public ref class AntiForgery abstract sealed
[<AbstractClassAttribute>]
[<SealedAttribute>]
type AntiForgery = class end
public final class AntiForgery
The AntiForgery type exposes the following members.
Methods
| Name | Description | |
|---|---|---|
.jpeg "Public method") .gif "Static member") |
GetHtml() | Adds an authenticating token to a form to help protect against request forgery. |
|
GetHtml(HttpContextBase, String, String, String) | Obsolete. Adds an authenticating token to a form to help protect against request forgery and lets callers specify authentication details. |
|
GetTokens | Gets the search tokens. |
|
Validate() | Validates that input data from an HTML form field comes from the user who submitted the data. |
|
Validate(String, String) | Validates that input data from an HTML form field comes from the user who submitted the data. |
|
Validate(HttpContextBase, String) | Obsolete. Validates that input data from an HTML form field comes from the user who submitted the data and lets callers specify additional validation details. |
Top
Remarks
This class represents a helper, which is a component that simplifies web programming in ASP.NET Web Pages. You can use the AntiForgery class to help protect against malicious sites that try to forge ("spoof") requests to your site.
A common type of attack on websites is referred to as cross-site request forgery (often abbreviated as CSFR or XSFR). When users visit a malicious website or open a malicious email message or instant message, code can attach to their browser and can secretly submit harmful requests on a site where the users are authenticated. In effect, the malicious site forges ("spoofs") requests so that they appear to come from a legitimate user. The forged requests then attempt to perform tasks as a logged-in user, and can range from annoying (such as logging off the user account) to serious (such as stealing money).
To help prevent XSFR attacks, use the two public methods of the AntiForgery class as follows:
Call the GetHtml method in an HTML form element. The method creates an encrypted token and adds it to the form as a hidden field. It adds the same token to an HTTP cookie.
After the page has been submitted, call the Validate method to validate that the form field input is legitimate and is not from a forged request. The method compares the token values in the hidden field and the HTTP cookie. If both tokens are present and the values match, the request is valid and your page can finish processing. If a token is missing or the values do not match, the request might be forged. In that case validation fails and the method throws an exception.
Thread Safety
Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.